{"api_version":"1","generated_at":"2026-05-13T07:43:32+00:00","cve":"CVE-2026-38432","urls":{"html":"https://cve.report/CVE-2026-38432","api":"https://cve.report/api/cve/CVE-2026-38432.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-38432","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-38432"},"summary":{"title":"CVE-2026-38432","description":"ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied.","state":"PUBLISHED","assigner":"mitre","published_at":"2026-05-05 17:17:04","updated_at":"2026-05-08 17:05:35"},"problem_types":["CWE-79","n/a","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"6.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"6.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}}],"references":[{"url":"https://c0wking.hashnode.dev/stored-xss-in-erpnext-frappe-email-template-engine","name":"https://c0wking.hashnode.dev/stored-xss-in-erpnext-frappe-email-template-engine","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-38432","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-38432","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"38432","vulnerable":"1","versionEndIncluding":"15.103.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"frappe","cpe5":"erpnext","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"38432","cve":"CVE-2026-38432","epss":"0.000300000","percentile":"0.086460000","score_date":"2026-05-12","updated_at":"2026-05-13 00:11:54"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-38432","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-05-06T13:26:33.215711Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-06T15:26:13.689Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://c0wking.hashnode.dev/stored-xss-in-erpnext-frappe-email-template-engine"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"descriptions":[{"lang":"en","value":"ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2026-05-05T16:16:44.521Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"url":"https://c0wking.hashnode.dev/stored-xss-in-erpnext-frappe-email-template-engine"}]}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2026-38432","datePublished":"2026-05-05T00:00:00.000Z","dateReserved":"2026-04-06T00:00:00.000Z","dateUpdated":"2026-05-06T15:26:13.689Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-05 17:17:04","lastModifiedDate":"2026-05-08 17:05:35","problem_types":["CWE-79","n/a","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*","versionEndIncluding":"15.103.1","matchCriteriaId":"1300B107-AF39-4DBD-86BA-406B38A0FB1C"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"38432","Ordinal":"1","Title":"CVE-2026-38432","CVE":"CVE-2026-38432","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"38432","Ordinal":"1","NoteData":"ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied.","Type":"Description","Title":"CVE-2026-38432"}]}}}