CVE-2026-38432

Name of the Vulnerable Software and Affected Versions ERPNext versions prior to 15.103.2

Description The Email Template engine allows an attacker with permissions to create or edit email templates to inject malicious JavaScript code. This code is executed in the victim's browser when the template is applied. Cross Site Scripting (XSS) is a flaw where malicious scripts are injected into otherwise trusted websites.

Recommendations Update to a version newer than 15.103.1.