XSS in Frappe Erpnext

CVE-2026-42840

An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This is…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (14.8th percentile) — read the EPSS interpretation.