ERPNext 16.16.0 - Stored XSS in POS cart item rendering
CVE-2026-42839

4.8MEDIUM

Key Information:

Vendor: Frappe
Status: Erpnext
Vendor: CVE Published:; 3 June 2026

What is CVE-2026-42839?

An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a transaction.This issue affects ERPNext: 16.16.0.

Affected Version(s)

ERPNext Windows 16.16.0

References

https://fluidattacks.com/es/advisories/pink

third-party-advisory

https://github.com/frappe/erpnext

product

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

Fluid Attacks' AI SAST Scanner

Oscar Naveda

CVE-2026-42839 Data

JSON