11 matches found
CVE-2026-42839
An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the itemname, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale POS cart interface for every operator who adds that item to a transaction.This issue...
CVE-2026-42840
An authenticated user can persist arbitrary HTML/JavaScript in the emailid or mobileno fields of a Customer record and trigger unescaped rendering in the Point of Sale POS interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0...
CVE-2026-42839 ERPNext 16.16.0 - Stored XSS in POS cart item rendering
An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the itemname, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale POS cart interface for every operator who adds that item to a transaction.This issue...
EUVD-2026-34157
An authenticated user can persist arbitrary HTML/JavaScript in the emailid or mobileno fields of a Customer record and trigger unescaped rendering in the Point of Sale POS interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0...
CVE-2026-42840 ERPNext 16.16.0 - Stored XSS in POS customer section via unescaped template literals
An authenticated user can persist arbitrary HTML/JavaScript in the emailid or mobileno fields of a Customer record and trigger unescaped rendering in the Point of Sale POS interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0...
CVE-2026-42840
An authenticated user can persist arbitrary HTML/JavaScript in the emailid or mobileno fields of a Customer record and trigger unescaped rendering in the Point of Sale POS interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0...
PT-2026-46043
An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale POS cart interface for every operator who adds that item to a transaction.This issue...
CVE-2026-44441
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 15.106.0 and 16.16...
nodejs and nodejs-nodemon security and bug fix update
nodejs 16.16.0-1 - Rebase to version 16.16.0 Resolves: RHBZ2106290 Resolves: CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215 16.14.0-5 - Decouple dependency bundling from bootstrapping nodejs-nodemon...
CVE-2022-32214 affecting package nodejs for versions less than 16.16.0-1
CVE-2022-32214 affecting package nodejs for versions less than 16.16.0-1. An upgraded version of the package is available that resolves this issue...
CVE-2022-32215 affecting package nodejs for versions less than 16.16.0-1
CVE-2022-32215 affecting package nodejs for versions less than 16.16.0-1. An upgraded version of the package is available that resolves this issue...