CVE-2026-38432
Cross Site Scripting in ERPNext Email Template Engine
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| erpnext | erpnext | to 15.103.1 (inc) |
| frappe | erpnext | to 15.103.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
ERPNext versions v15.103.1 and earlier contain a Cross Site Scripting (XSS) vulnerability in the Email Template engine.
An attacker who has permission to create or edit email templates can inject malicious JavaScript code.
This malicious code is executed in the browser of any user who views or applies the compromised email template.
How can this vulnerability impact me? :
This vulnerability allows an attacker with email template editing permissions to execute arbitrary JavaScript code in the browsers of users who receive or view the affected email templates.
Such code execution can lead to theft of sensitive information, session hijacking, or other malicious actions performed on behalf of the victim.