What is CVE-2026-44445?

CVE-2026-44445 is a medium-severity vulnerability in Frappe Erpnext, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 6.5/10. Published 2026-05-13.

How severe is CVE-2026-44445?

Medium severity. CVSS v3 base score is 6.5 out of 10.

XXE in Frappe Erpnext

CVE-2026-44445

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enables an authenticated attacker to read fi…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.001 (15.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.

Affected products

Frappe Erpnext — versions >= 16.0.0-beta.1, < 16.12.0, < 15.104.3

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

References

security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)

Frequently asked questions

What is CVE-2026-44445?: CVE-2026-44445 is a medium-severity vulnerability in Frappe Erpnext, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 6.5/10. Published 2026-05-13.
How severe is CVE-2026-44445?: Medium severity. CVSS v3 base score is 6.5 out of 10.