Main Vulnerability Database Vulnerabilities #VU128490

Cross-site scripting in ERPNext - #VU128490

Published: April 30, 2026

Vulnerability identifier: #VU128490

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Frappe

Affected software:
ERPNext

Detailed vulnerability description

The vulnerability allows a remote user to perform unauthorized actions, access and modify data, and steal tokens.

The vulnerability exists due to cross-site scripting in dashboards, tools, and portals when rendering crafted record names. A remote user can craft record names to perform unauthorized actions, access and modify data, and steal tokens.

User interaction is required to trigger the injected script.

Remediation

Install security update from vendor's website.

Sources

https://github.com/frappe/erpnext/security/advisories/GHSA-r99h-h44m-89m2

Cross-site scripting in ERPNext - #VU128490

Detailed vulnerability description

Remediation

Sources

Please verify you're human