A vulnerability marked as problematic has been reported in Frappe ERPNext 16.16.0 . Impacted is an unknown function. This manipulation of the argument email_id/mobile_no causes cross site scripting. This vulnerability is tracked as CVE-2026-42840 . The attack is possible to be carried out remotely. No exploit exists.