CVE-2026-42840 Overview
CVE-2026-42840 is a stored Cross-Site Scripting (XSS) vulnerability in ERPNext 16.16.0. An authenticated user can persist arbitrary HTML or JavaScript in the email_id or mobile_no fields of a Customer record. The Point of Sale (POS) interface renders these fields without escaping, executing attacker-controlled script in the browser of every operator who selects the customer.
The flaw is categorized under [CWE-79] — Improper Neutralization of Input During Web Page Generation. Exploitation requires only low-privileged authenticated access and user interaction from a POS operator.
Critical Impact
Stored payloads execute in any operator session that loads the affected customer record, enabling session theft, action forgery, or pivoting within the ERPNext tenant.
Affected Products
- ERPNext 16.16.0
- Frappe ERPNext Customer module
- Frappe ERPNext Point of Sale (POS) interface
Discovery Timeline
- 2026-06-03 - CVE-2026-42840 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-42840
Vulnerability Analysis
The vulnerability is a stored XSS in the ERPNext Customer document type. The email_id and mobile_no fields accept arbitrary content during customer create or update operations. The server persists the input without neutralizing HTML control characters.
When a POS operator selects the customer, the POS interface reads these fields and writes them into the Document Object Model (DOM) without escaping. The browser parses the injected markup and executes any embedded <script> tags or event handlers.
The issue affects every POS operator who views the poisoned customer record. This converts a single write by a low-privileged user into script execution across multiple cashier or sales sessions. Refer to the FluidAttacks Security Advisory for additional technical context.
Root Cause
The root cause is missing output encoding in the POS rendering path. ERPNext applies field-level validation for format on some Customer fields but does not sanitize HTML in email_id or mobile_no before storage or before rendering in the POS view. The render path treats the value as trusted markup instead of untrusted text.
Attack Vector
An attacker with authenticated access and Customer write permission creates or edits a Customer document. The attacker places an HTML or JavaScript payload in email_id or mobile_no. The payload remains dormant in the database. When any POS operator opens the cart and selects that customer, the POS view loads the fields and the payload executes in the operator's browser within the ERPNext origin.
Because execution occurs in the operator's authenticated session, the payload can call ERPNext REST endpoints, exfiltrate session cookies that are not HttpOnly, or modify transactions in progress.
No verified public exploit code is available. The vulnerability mechanism is described in the FluidAttacks Security Advisory and the GitHub ERPNext Repository.
Detection Methods for CVE-2026-42840
Indicators of Compromise
- Customer records where email_id or mobile_no contain <, >, script, onerror, onload, or javascript: substrings.
- Outbound HTTP requests from POS operator browsers to unexpected external hosts shortly after a customer is selected in the POS view.
- Frappe audit log entries showing Customer document updates from accounts that do not normally manage customer master data.
Detection Strategies
- Query the tabCustomer table for email_id or mobile_no values that fail strict regex validation for email or phone format.
- Inspect browser console errors and Content Security Policy violation reports generated by POS sessions.
- Review web server access logs for POS endpoints returning customer payloads containing HTML metacharacters.
Monitoring Recommendations
- Alert on Customer document writes that contain angle brackets or javascript: schemes in contact fields.
- Monitor POS user sessions for anomalous API calls issued from the browser after customer selection events.
- Track Customer record edits performed by accounts outside the sales or master-data roles.
How to Mitigate CVE-2026-42840
Immediate Actions Required
- Restrict Customer create and update permissions to trusted roles until a patched ERPNext release is deployed.
- Audit existing Customer records for HTML or script content in email_id and mobile_no and sanitize affected rows.
- Force re-authentication for POS operators and invalidate existing sessions if poisoned records were viewed.
Patch Information
The advisory identifies ERPNext 16.16.0 as affected. Monitor the GitHub ERPNext Repository for releases that introduce output encoding in the POS customer rendering path and input validation on email_id and mobile_no. Apply the fixed version as soon as it is published by the Frappe project.
Workarounds
- Apply server-side validation that rejects Customer field values containing HTML metacharacters before save.
- Deploy a Content Security Policy that blocks inline script execution in the POS interface to reduce payload viability.
- Limit Customer write permissions through Frappe role-based access control to reduce the attacker population.
# Example regex validation for Customer contact fields (server-side hook)
# Reject any value containing HTML control characters
VALIDATE_EMAIL='^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$'
VALIDATE_PHONE='^[+0-9 ()-]{4,20}$'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
