Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied.
AnalysisAI
Stored Cross Site Scripting in ERPNext v15.103.1 and earlier allows users with email template creation or editing permissions to inject malicious JavaScript that executes in victims' browsers when the template is applied, affecting confidentiality and integrity with a low EPSS score of 0.02% suggesting minimal real-world exploitation despite the moderate CVSS score of 6.1.
Technical ContextAI
The vulnerability exists in ERPNext's email template engine, which processes and renders email templates without proper input sanitization or output encoding. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that user-supplied JavaScript code embedded in template fields is not escaped before being rendered in the browser context. The email template mechanism is a core feature in ERPNext's communication framework, allowing organizations to customize templated messages. When templates are applied or previewed by other users, the injected script executes within their authenticated session context, leveraging the user's existing permissions and session tokens.
RemediationAI
Upgrade ERPNext to a version after v15.103.1 that includes input sanitization and output encoding fixes for the email template engine. If immediate patching is not feasible, implement strict access controls to restrict email template creation and editing permissions to a minimal trusted group of administrators only. Additionally, configure Content Security Policy (CSP) headers with script-src restrictions to prevent execution of injected inline scripts, though this provides defense-in-depth only and is not a replacement for patching. Audit existing email templates created by users for suspicious JavaScript patterns and remove or isolate any templates containing encoded or obfuscated script tags. Test templates in a non-production environment before applying them to production email workflows.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27404
GHSA-78h5-gvjw-7pp9