CVE-2026-42839

EPSS 0.26%
Veröffentlicht 03.06.2026 17:44:41
Zuletzt bearbeitet 04.06.2026 15:23:52
Quelle help@fluidattacks.com
CVE-Watchlists
Login
Unerledigt
Login

ERPNext 16.16.0 - Stored XSS in POS cart item rendering

An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a transaction.This issue affects ERPNext: 16.16.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerFrappe

≫

Produkt ERPNext

Default Statusunaffected

Version 16.16.0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.26%	0.172

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
help@fluidattacks.com	4.8	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/frappe/erpnext

https://fluidattacks.com/es/advisories/pink

https://nvd.nist.gov/vuln/detail/CVE-2026-42839

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-42839

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-42839

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-42839