Critical severity9.8NVD Advisory· Published May 5, 2026· Updated May 8, 2026
CVE-2026-38431
CVE-2026-38431
Description
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.
Affected products
2Patches
Vulnerability mechanics
References
1- c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-enginenvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.