CVE-2026-42839

An authenticated ERPNext user with Item record edit permissions can inject HTML/JavaScript into the item name, description, or image fields of an Item record [ref_id=1]. When another user, acting as a POS operator, adds this malicious item to a transaction, the injected payload is rendered unescaped in the POS cart interface, triggering the script execution [ref_id=1]. This can lead to arbitrary code execution in the operator's browser, such as stealing cookies [ref_id=1].

The vulnerability lies in the rendering of cart items within the Point of Sale interface. Specifically, the `render_cart_item` function in `pos_item_cart.js` is affected, along with helper functions like `get_description_html` and `get_item_image_html` [ref_id=1]. The issue stems from the use of jQuery's `.html()` sink and direct interpolation of item names, as well as improper sanitization or escaping in these functions [ref_id=1].

There is currently no patch available for this vulnerability. The advisory recommends that users update to a version where the vulnerability is fixed, but does not specify which version that is [ref_id=1].