CVE-2026-42840: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Frappe ERPNext
An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0.
AI Analysis
Technical Summary
This vulnerability (CWE-79) allows an authenticated user in ERPNext 16.16.0 to persistently inject HTML or JavaScript code into specific customer fields (email_id or mobile_no). When another operator accesses the POS interface and selects the affected customer, the injected code is rendered unescaped, enabling cross-site scripting attacks. The CVSS 4.0 base score is 5.1, indicating a medium severity with network attack vector, low complexity, and limited impact on confidentiality, integrity, and availability.
Potential Impact
An attacker with authenticated access can execute arbitrary scripts in the context of other POS operators by injecting code into customer records. This can lead to session hijacking, unauthorized actions, or information disclosure within the POS interface. However, the attack requires authentication and user interaction (selecting the customer), limiting its impact scope.
Mitigation Recommendations
Patch status is not yet confirmed—no official fix or remediation level is provided by the vendor or advisory. Users should monitor the vendor's advisories for updates. Until a patch is available, restrict authenticated user permissions to trusted personnel only and consider additional input validation or sanitization controls on customer data fields if possible.
CVE-2026-42840: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Frappe ERPNext
Description
An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0.
CVSS v4.0
Score 5.1medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CWE-79) allows an authenticated user in ERPNext 16.16.0 to persistently inject HTML or JavaScript code into specific customer fields (email_id or mobile_no). When another operator accesses the POS interface and selects the affected customer, the injected code is rendered unescaped, enabling cross-site scripting attacks. The CVSS 4.0 base score is 5.1, indicating a medium severity with network attack vector, low complexity, and limited impact on confidentiality, integrity, and availability.
Potential Impact
An attacker with authenticated access can execute arbitrary scripts in the context of other POS operators by injecting code into customer records. This can lead to session hijacking, unauthorized actions, or information disclosure within the POS interface. However, the attack requires authentication and user interaction (selecting the customer), limiting its impact scope.
Mitigation Recommendations
Patch status is not yet confirmed—no official fix or remediation level is provided by the vendor or advisory. Users should monitor the vendor's advisories for updates. Until a patch is available, restrict authenticated user permissions to trusted personnel only and consider additional input validation or sanitization controls on customer data fields if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Fluid Attacks
- Date Reserved
- 2026-04-30T15:23:30.711Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a207a8be29bf47b50dc5162
Added to database: 6/3/2026, 7:03:39 PM
Last enriched: 6/3/2026, 7:19:08 PM
Last updated: 6/4/2026, 4:58:20 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.