Frappe Erpnext
19 CVEs affecting Frappe Erpnext. Latest disclosed: 2026-06-03. Critical: 2, High: 9.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-44442 | Critical | 9.9 | 2026-05-13 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing… |
CVE-2026-38431 | Critical | 9.8 | 2026-05-05 | ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject t… |
CVE-2026-44447 | High | 8.8 | 2026-05-13 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted… |
CVE-2026-44446 | High | 8.8 | 2026-05-13 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through spe… |
CVE-2023-54345 | High | 8.8 | 2026-05-05 | Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute… |
CVE-2018-3885 | High | 8.8 | 2018-09-12 | An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulti… |
CVE-2018-3884 | High | 8.8 | 2018-09-12 | An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulti… |
CVE-2018-3883 | High | 8.8 | 2018-09-12 | An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulti… |
CVE-2018-3882 | High | 8.8 | 2018-09-12 | An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulti… |
CVE-2025-58439 | High | 8.1 | 2025-09-06 | ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation of parameters left ce… |
CVE-2026-32954 | High | 7.1 | 2026-03-20 | ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and… |
CVE-2026-44445 | Medium | 6.5 | 2026-05-13 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) refere… |
CVE-2026-44440 | Medium | 6.5 | 2026-05-13 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Direct… |
CVE-2026-38432 | Medium | 6.1 | 2026-05-05 | ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email temp… |
CVE-2026-44448 | Medium | 5.9 | 2026-05-13 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization ch… |
CVE-2026-44441 | Medium | 5.0 | 2026-05-13 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoin… |
CVE-2026-42840 | | 2026-06-03 | An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Poi… | |
CVE-2026-42839 | | 2026-06-03 | An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item… | |
CVE-2026-27471 | | 2026-02-21 | ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access… |