Skip to main content

ERPNext CVE-2026-42839

| EUVD-2026-34158 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-03 Fluid Attacks GHSA-hc32-c5xw-9f2m
XSS Erpnext
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 21:22 vuln.today
CVSS changed
Jun 03, 2026 - 19:22 NVD
4.8 (MEDIUM)
CVE Published
Jun 03, 2026 - 17:44 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a transaction.This issue affects ERPNext: 16.16.0.

AnalysisAI

Stored cross-site scripting in ERPNext 16.16.0 allows an authenticated user holding Item record edit permissions to persist malicious HTML/JavaScript in the item_name, description, or image fields, which executes unescaped in the Point of Sale (POS) cart interface for any operator who subsequently adds that item to a transaction. Reported by Fluid Attacks (EUVD-2026-34158), this is a stored XSS with lateral impact across all POS operator sessions exposed to the poisoned item record. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Item record editor
Delivery
Inject JS payload into item_name, description, or image field
Exploit
Save poisoned Item record to ERPNext database
Execution
POS operator opens transaction and adds poisoned item to cart
Persist
Unescaped JS executes in operator's browser session
Impact
Exfiltrate session token or perform unauthorized POS actions
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must hold an authenticated ERPNext account with Item record edit permissions - this is a high-privilege role (PR:H per CVSS vector), not accessible to standard or guest users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 4.8 (Medium) reflects a well-bounded risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated ERPNext catalog manager (or an attacker who has compromised such an account) edits an Item record and embeds a JavaScript payload - such as a session cookie exfiltration script - into the item_name or description field before saving. When any POS operator subsequently adds that item to a cart during a sales transaction, the injected payload executes silently in the operator's browser, potentially exfiltrating their session token back to an attacker-controlled endpoint. …
Remediation No vendor-released patch version has been independently confirmed from the available input data - the upstream Frappe GitHub repository at https://github.com/frappe/erpnext should be monitored for commits or tagged releases addressing this stored XSS, and the Fluid Attacks advisory at https://fluidattacks.com/es/advisories/pink should be consulted for patch confirmation. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42839 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy