XSS in Frappe Erpnext

CVE-2026-42839

An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for e…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (10.8th percentile) — read the EPSS interpretation.