CVE-2026-42840— ERPNext 安全漏洞

ERPNext 16.16.0 - Stored XSS in POS customer section via unescaped template literals

An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

ERPNext 安全漏洞

ERPNext是印度ERPNext公司的一套开源的企业资源计划解决方案。 ERPNext 16.16.0版本存在安全漏洞，该漏洞源于经过身份验证的用户可在客户记录的电子邮件或手机字段中持久化任意HTML/JavaScript，并在销售点界面中触发未转义渲染。

N/A

N/A