ERPNext 16.16.0 - Stored XSS in POS customer section via unescaped template literals
CVE-2026-42840

5.1MEDIUM

Key Information:

Vendor: Frappe
Status: Erpnext
Vendor: CVE Published:; 3 June 2026

What is CVE-2026-42840?

An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0.

Affected Version(s)

ERPNext Windows 16.16.0

References

https://fluidattacks.com/es/advisories/weeknd

third-party-advisory

https://github.com/frappe/erpnext

product

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

Fluid Attacks' AI SAST Scanner

Oscar Naveda

CVE-2026-42840 Data

JSON