CVE-2026-42840

UNKNOWN 0.0

ERPNext 16.16.0 - Stored XSS in POS customer section via unescaped template literals

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0.

CWE	CWE-79
Vendor	frappe
Product	erpnext
Published	Jun 3, 2026
Last Updated	Jun 3, 2026

Stay Ahead of the Next One

Get instant alerts for frappe erpnext

Be the first to know when new unknown vulnerabilities affecting frappe erpnext are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Frappe / ERPNext

16.16.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

fluidattacks.com: https://fluidattacks.com/es/advisories/weeknd github.com: https://github.com/frappe/erpnext

Credits

Fluid Attacks' AI SAST Scanner Oscar Naveda