ERPNext Arbitrary HTML/JavaScript Injection Vulnerability in Point of Sale Cart Interface

Vulnerability

A vulnerability exists in ERPNext version 16.16.0, allowing authenticated users with permission to edit Item records to inject arbitrary HTML or JavaScript. This injected content is rendered without proper escaping in the Point of Sale (POS) cart interface, affecting all operators who add the modified item to a transaction. The exploitation occurs through the item_name, description, or image fields of the Item record.

Impact

Exploitation of this vulnerability allows for cross-site scripting (XSS) attacks, where injected scripts are executed in the context of the user's browser.

Added: Jun 3, 2026, 7:40 PM

Updated: Jun 3, 2026, 7:40 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

1.7

exploitability

5.3

remediation

0.0

relevance

9.9

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

1.7

exploitability

5.3

remediation

0.0

relevance

9.9

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ERPNext Arbitrary HTML/JavaScript Injection Vulnerability in Point of Sale Cart Interface

Vulnerability

Impact

Affected Products

ERPNext

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating