CVE-2026-42839
Authenticated Stored XSS in ERPNext Point of Sale Cart
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: Fluid Attacks
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | erpnext | 16.16.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42839 is a stored cross-site scripting (XSS) vulnerability in ERPNext version 16.16.0.
An authenticated ERPNext user with Item record edit permissions can inject malicious HTML or JavaScript into the item_name, description, or image fields of an Item record.
When this item is added to the Point of Sale (POS) cart, the malicious code is rendered unescaped in the POS interface for all operators, allowing arbitrary code execution in their browsers.
The vulnerability exists because the rendering function in pos_item_cart.js uses jQuery's .html() method to embed user-controlled data directly into HTML without proper sanitization.
The sanitization for the description field is weak and only triggers if the content contains the literal string "<div>", allowing other HTML tags with event handlers or script tags to bypass it.
Additionally, the image field is injected directly into an img src attribute without escaping, enabling further XSS payloads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user to inject arbitrary HTML or JavaScript into item records, which can then execute in the browsers of other POS operators. This stored cross-site scripting (XSS) issue could lead to unauthorized code execution, potentially exposing sensitive data or enabling further attacks.
Such a vulnerability may impact compliance with standards and regulations like GDPR or HIPAA, as it could lead to unauthorized access or disclosure of personal or sensitive information processed through the ERP system. The ability to execute arbitrary scripts in the POS interface could undermine data integrity and confidentiality requirements mandated by these regulations.
However, the provided information does not explicitly detail the compliance impact or any specific regulatory breaches caused by this vulnerability.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with edit permissions to execute arbitrary JavaScript code in the browsers of other POS operators.
Such code execution can lead to session hijacking, theft of sensitive information, unauthorized actions on behalf of the user, or spreading malware.
Because the malicious payload is stored and triggered whenever the item is added to a transaction, it can affect multiple users repeatedly.
The vulnerability is remotely exploitable and has a medium severity CVSS score of 4.8.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting Item records in ERPNext version 16.16.0 for the presence of arbitrary HTML or JavaScript code in the item_name, description, or image fields.
Since the issue involves stored cross-site scripting (XSS) where malicious code is injected into these fields, you can search the database or export item records to look for suspicious HTML tags such as <script>, <img> with event handlers, or other unusual HTML content.
No specific network commands are provided, but database queries or ERPNext API calls to retrieve and scan these fields for suspicious content would be appropriate.
- Example SQL query to find suspicious HTML tags in item_name or description fields: SELECT name, item_name, description FROM tabItem WHERE item_name LIKE '%<script>%' OR description LIKE '%<script>%' OR item_name LIKE '%<img%' OR description LIKE '%<img%';
- Alternatively, export item data and use text search tools (e.g., grep) to find suspicious HTML or JavaScript payloads.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or reviewing permissions for users who can edit Item records, especially those with item_name, description, or image field edit rights.
Since there is currently no available patch for this vulnerability, it is important to limit the ability of authenticated users to inject malicious content.
Additionally, avoid adding suspicious items to the Point of Sale (POS) cart interface until the vulnerability is resolved.
Implement manual sanitization or validation of input fields to prevent HTML/JavaScript injection if possible.
Monitor ERPNext official channels for updates or patches addressing this issue.