CVE-2026-38432

MEDIUM

ERPNext < 15.103.1 - Stored Cross-Site Scripting in Email Template Engine

Title source: llm

Description

ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied.

References (1)

Core 1

Core References

https://c0wking.hashnode.dev/stored-xss-in-erpnext-frappe-email-template-engine

Scores

CVSS v3 6.1

EPSS 0.0018

EPSS Percentile 7.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

frappe/erpnext < 15.103.1

Published May 05, 2026

Tracked Since May 05, 2026