CVE-2026-42839

UNKNOWN 0.0

ERPNext 16.16.0 - Stored XSS in POS cart item rendering

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a transaction.This issue affects ERPNext: 16.16.0.

CWE	CWE-79
Vendor	frappe
Product	erpnext
Published	Jun 3, 2026
Last Updated	Jun 3, 2026

Stay Ahead of the Next One

Get instant alerts for frappe erpnext

Be the first to know when new unknown vulnerabilities affecting frappe erpnext are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Frappe / ERPNext

16.16.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

fluidattacks.com: https://fluidattacks.com/es/advisories/pink github.com: https://github.com/frappe/erpnext

Credits

Fluid Attacks' AI SAST Scanner Oscar Naveda