CVE-2026-42839
Deferred Deferred - Pending Action
Authenticated Stored XSS in ERPNext Point of Sale Cart

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: Fluid Attacks

Description
An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a transaction.This issue affects ERPNext: 16.16.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-42839
EUVD
EUVD-2026-34158
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frappe erpnext 16.16.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42839 is a stored cross-site scripting (XSS) vulnerability in ERPNext version 16.16.0.

An authenticated ERPNext user with Item record edit permissions can inject malicious HTML or JavaScript into the item_name, description, or image fields of an Item record.

When this item is added to the Point of Sale (POS) cart, the malicious code is rendered unescaped in the POS interface for all operators, allowing arbitrary code execution in their browsers.

The vulnerability exists because the rendering function in pos_item_cart.js uses jQuery's .html() method to embed user-controlled data directly into HTML without proper sanitization.

The sanitization for the description field is weak and only triggers if the content contains the literal string "<div>", allowing other HTML tags with event handlers or script tags to bypass it.

Additionally, the image field is injected directly into an img src attribute without escaping, enabling further XSS payloads.

Compliance Impact

The vulnerability allows an authenticated user to inject arbitrary HTML or JavaScript into item records, which can then execute in the browsers of other POS operators. This stored cross-site scripting (XSS) issue could lead to unauthorized code execution, potentially exposing sensitive data or enabling further attacks.

Such a vulnerability may impact compliance with standards and regulations like GDPR or HIPAA, as it could lead to unauthorized access or disclosure of personal or sensitive information processed through the ERP system. The ability to execute arbitrary scripts in the POS interface could undermine data integrity and confidentiality requirements mandated by these regulations.

However, the provided information does not explicitly detail the compliance impact or any specific regulatory breaches caused by this vulnerability.

Impact Analysis

This vulnerability allows an authenticated user with edit permissions to execute arbitrary JavaScript code in the browsers of other POS operators.

Such code execution can lead to session hijacking, theft of sensitive information, unauthorized actions on behalf of the user, or spreading malware.

Because the malicious payload is stored and triggered whenever the item is added to a transaction, it can affect multiple users repeatedly.

The vulnerability is remotely exploitable and has a medium severity CVSS score of 4.8.

Detection Guidance

This vulnerability can be detected by inspecting Item records in ERPNext version 16.16.0 for the presence of arbitrary HTML or JavaScript code in the item_name, description, or image fields.

Since the issue involves stored cross-site scripting (XSS) where malicious code is injected into these fields, you can search the database or export item records to look for suspicious HTML tags such as <script>, <img> with event handlers, or other unusual HTML content.

No specific network commands are provided, but database queries or ERPNext API calls to retrieve and scan these fields for suspicious content would be appropriate.

  • Example SQL query to find suspicious HTML tags in item_name or description fields: SELECT name, item_name, description FROM tabItem WHERE item_name LIKE '%<script>%' OR description LIKE '%<script>%' OR item_name LIKE '%<img%' OR description LIKE '%<img%';
  • Alternatively, export item data and use text search tools (e.g., grep) to find suspicious HTML or JavaScript payloads.
Mitigation Strategies

Immediate mitigation steps include restricting or reviewing permissions for users who can edit Item records, especially those with item_name, description, or image field edit rights.

Since there is currently no available patch for this vulnerability, it is important to limit the ability of authenticated users to inject malicious content.

Additionally, avoid adding suspicious items to the Point of Sale (POS) cart interface until the vulnerability is resolved.

Implement manual sanitization or validation of input fields to prevent HTML/JavaScript injection if possible.

Monitor ERPNext official channels for updates or patches addressing this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42839. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart