Cross-Site Scripting Vulnerability in ERP Online by erponline.xyz
CVE-2026-6651

4.8MEDIUM

Key Information:

Vendor

Erponline.xyz

Status
Erp Online
Vendor
CVE Published:
20 April 2026

What is CVE-2026-6651?

A security vulnerability has been identified in the ERP Online software up to version 4.0.0, specifically affecting the Inventory Edit Item Page component. A malicious actor can manipulate the Item Name input field to execute arbitrary scripts in the context of an unsuspecting user's browser. This cross-site scripting issue allows for potential remote attacks, compromising user data and application integrity. Despite early notifications, the vendor has not responded to address this serious flaw.

Affected Version(s)

ERP Online 4.0

References

https://vuldb.com/vuln/358285
vdb-entrytechnical-description
https://vuldb.com/vuln/358285/cti
signaturepermissions-required
https://vuldb.com/submit/793806
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrea Intilangelo
acme (VulDB User)
acme (VulDB User)
VulDB CNA Team
.