What is CVE-2026-38432?

CVE-2026-38432 is a medium-severity vulnerability in Frappe Erpnext, classified under Cross-site Scripting. CVSS score: 6.1/10. Published 2026-05-05.

How severe is CVE-2026-38432?

Medium severity. CVSS v3 base score is 6.1 out of 10.

XSS in Frappe Erpnext

CVE-2026-38432

ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's bro…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (9.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.1 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Affected products

Frappe Erpnext
N/a — versions n/a

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

cve@mitre.org (Exploit, Third Party Advisory)

Frequently asked questions

What is CVE-2026-38432?: CVE-2026-38432 is a medium-severity vulnerability in Frappe Erpnext, classified under Cross-site Scripting. CVSS score: 6.1/10. Published 2026-05-05.
How severe is CVE-2026-38432?: Medium severity. CVSS v3 base score is 6.1 out of 10.