CVE-2026-42840
Description
ERPNext 16.16.0 allows authenticated users to inject HTML/JavaScript into customer records, leading to Stored XSS in the Point of Sale interface.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ERPNext 16.16.0 allows authenticated users to inject HTML/JavaScript into customer records, leading to Stored XSS in the Point of Sale interface.
Vulnerability
An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record in ERPNext version 16.16.0. The vulnerability arises because the Point of Sale (POS) interface renders these fields without proper HTML sanitization, specifically within the update_customer_section function in pos_item_cart.js [1].
Exploitation
An attacker needs to be authenticated to the ERPNext system. They can then inject HTML/JavaScript payloads into the email_id or mobile_no fields of a customer record, either directly via an API call to the whitelisted set_customer_info method or through the POS customer info panel. When any operator selects this customer in the POS interface, the injected script will be rendered unescaped [1].
Impact
Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript within the context of the POS interface for any operator who views the affected customer's details. This can lead to session hijacking, information disclosure, or further manipulation of the POS interface, depending on the privileges of the operator viewing the customer [1].
Mitigation
ERPNext version 16.16.0 is affected by this vulnerability. A fix for this issue has been released. Users are advised to update to a patched version. Information regarding specific patch versions and release dates is not detailed in the provided references, but the vulnerability is addressed in later releases of ERPNext [2].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Arbitrary HTML/JavaScript is persisted in customer fields and rendered unescaped in the Point of Sale interface."
Attack vector
An authenticated user can exploit this vulnerability by injecting HTML/JavaScript into the `email_id` or `mobile_no` fields of a Customer record. This payload is then rendered unescaped when any operator selects that customer in the Point of Sale (POS) interface. The injection can occur either by directly calling the `set_customer_info` whitelisted API endpoint or by editing the Customer record directly if the user has edit permissions. The `onerror` event handler in the injected script can then execute arbitrary JavaScript, such as `alert(document.cookie)` [ref_id=1].
Affected code
The vulnerability lies within the Point of Sale (POS) interface, specifically in the `update_customer_section` function in `pos_item_cart.js`. This function uses jQuery's `.html()` method to render customer details fetched by `fetch_customer_details`. The `set_customer_info` function in `point_of_sale.py` is a whitelisted API endpoint that can be called to persist malicious data into the `email_id` or `mobile_no` fields [ref_id=1].
What the fix does
There is currently no patch available for this vulnerability. The advisory recommends that users update to a version where the vulnerability is fixed, but does not specify which version that is. The vulnerability is caused by the `frappe.db.get_value` function returning raw database values which are then placed directly into the DOM using jQuery's `.html()` sink without proper escaping [ref_id=1].
Preconditions
- authThe attacker must be an authenticated user in ERPNext.
- inputThe attacker must be able to inject HTML/JavaScript into the `email_id` or `mobile_no` fields of a Customer record.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.