Cross Site Scripting Vulnerability in ERPNext by Frappe

CVE-2026-38432

What is CVE-2026-38432?

The ERPNext Email Template engine prior to version v15.103.1 is susceptible to Cross Site Scripting (XSS), allowing authenticated users to inject malicious JavaScript. Since users with permission to edit or create email templates can exploit this flaw, attackers can execute arbitrary scripts in the context of a victim's browser session during template application. This presents a significant risk as it could lead to unauthorized data access or manipulation.

References