CVE-2026-38432
published 2026-05-05CVE-2026-38432: ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.18%
7.2th percentile
ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frappe | erpnext | <= 15.103.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-78h5-gvjw-7pp9: ERPNext v15
ghsa_unreviewed·2026-05-05
CVE-2026-38432 [MEDIUM] CWE-79 GHSA-78h5-gvjw-7pp9: ERPNext v15
ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied.
VulDB
Frappe ERPNext up to 15.103.1 Email Template cross site scripting
vuldb·2026-05-05
CVE-2026-38432 [LOW] Frappe ERPNext up to 15.103.1 Email Template cross site scripting
A vulnerability was found in Frappe ERPNext up to 15.103.1. It has been declared as problematic. Affected is an unknown function of the component Email Template Handler. The manipulation results in cross site scripting.
This vulnerability is identified as CVE-2026-38432. The attack can be executed remotely. There is not any exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-05
Published