High severity8.8NVD Advisory· Published Sep 12, 2018· Updated May 8, 2026

CVE-2018-3883

Description

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The employee and sort_order parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

Affected products

Frappe/Erpnext
cpe:2.3:a:frappe:erpnext:10.1.6:*:*:*:*:*:*:*
Talos/ERPNextv5
Range: ERPNext v10.1.6 (master)

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

talosintelligence.com/vulnerability_reports/TALOS-2018-0560nvdExploitThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000