ERPNext Cross-Site Scripting Vulnerability in Email Template Engine

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in ERPNext versions through 15.103.1, specifically within the Email Template engine. This issue allows an attacker with the ability to create or edit email templates to inject malicious JavaScript. The injected script is executed in the browser of the victim when the template is used.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the email template.

Added: May 5, 2026, 5:19 PM

Updated: May 5, 2026, 5:19 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

1.7

exploitability

6.0

remediation

0.0

relevance

7.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

1.7

exploitability

6.0

remediation

0.0

relevance

7.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ERPNext Cross-Site Scripting Vulnerability in Email Template Engine

Vulnerability

Impact

Affected Products

ERPNext

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating