CVE-2026-42840
Deferred Deferred - Pending Action
Authenticated Stored XSS in ERPNext POS Interface

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: Fluid Attacks

Description
An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-42840
EUVD
EUVD-2026-34157
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
erpnext erpnext 16.16.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in ERPNext version 16.16.0, specifically in the Point of Sale (POS) customer section.

An authenticated user can inject arbitrary HTML or JavaScript code into the email_id or mobile_no fields of a Customer record by exploiting a whitelisted API endpoint or by directly editing customer details.

The injected malicious code is stored in the database without proper sanitization and is later rendered unescaped in the POS interface when a POS operator selects the affected customer.

This happens because the update_customer_section function in pos_item_cart.js improperly handles user-controlled data, failing to escape HTML special characters and misusing the deprecated window.escape() function for URI encoding instead of HTML escaping.

Additionally, a malformed HTML attribute in the get_customer_image() function allows attribute injection, further contributing to the vulnerability.

Compliance Impact

The vulnerability allows an authenticated user to inject and persist arbitrary HTML or JavaScript code in customer records, which is then executed in the Point of Sale (POS) interface for operators. This stored cross-site scripting (XSS) flaw can lead to unauthorized script execution in operator browsers, potentially exposing sensitive customer data or enabling further attacks.

Such a vulnerability can impact compliance with standards like GDPR and HIPAA because it may lead to unauthorized access or disclosure of personal data, undermining data protection and privacy requirements. The ability to execute malicious scripts in the POS interface could facilitate data breaches or manipulation of customer information, which are critical concerns under these regulations.

Impact Analysis

This vulnerability can allow an authenticated user to execute arbitrary HTML or JavaScript code in the browsers of POS operators.

Such code execution can lead to unauthorized actions being performed in the POS interface, potentially compromising the integrity and security of the POS system.

Because the malicious code executes in the context of the POS operator's browser, it could be used to steal session tokens, manipulate the interface, or perform other malicious activities.

The vulnerability has a medium severity with a CVSS v4.0 base score of 5.1 and can be exploited remotely by any authenticated user regardless of their role.

Detection Guidance

This vulnerability involves stored cross-site scripting (XSS) in the email_id or mobile_no fields of Customer records in ERPNext version 16.16.0. Detection involves identifying if these fields contain arbitrary HTML or JavaScript code that could be executed in the Point of Sale (POS) interface.

Since the malicious payload is stored in the database, you can query the Customer records to look for suspicious HTML or JavaScript code in the email_id or mobile_no fields.

  • Use database queries to search for common XSS payload patterns in the email_id or mobile_no fields, for example, searching for <script> tags or event handlers.
  • Example SQL command (adjust according to your database): SELECT name, email_id, mobile_no FROM tabCustomer WHERE email_id LIKE '%<script>%' OR mobile_no LIKE '%<script>%';
  • Alternatively, search for other suspicious HTML tags or attributes that could be used for XSS.

Network detection is limited since the vulnerability is stored and triggered in the POS interface when selecting a customer, so monitoring for unusual or unexpected HTML/JavaScript in these fields is key.

Mitigation Strategies

Immediate mitigation steps include preventing the injection and execution of arbitrary HTML/JavaScript in the email_id and mobile_no fields of Customer records.

  • Restrict or disable editing of the email_id and mobile_no fields by untrusted or low-privileged authenticated users to prevent injection.
  • Manually review and sanitize existing Customer records to remove any malicious HTML or JavaScript code from these fields.
  • Educate POS operators to be cautious when selecting customers and monitor for unusual behavior in the POS interface.
  • Apply strict input validation and sanitization on these fields if possible, or temporarily disable the vulnerable POS functionality until a patch is released.

Since no patch is available as of the disclosure date, these steps help reduce the risk until an official fix is provided.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42840. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart