VYPR

Erpnext

by Frappe

Source repositories

CVEs (58)

  • CVE-2026-38431CriMay 5, 2026
    risk 0.64cvss 9.8epss 0.00

    ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.

  • CVE-2026-31017CriApr 8, 2026
    risk 0.59cvss 9.1epss 0.00

    A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML…

  • CVE-2026-44442CriMay 13, 2026
    risk 0.57cvss 9.9epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1.

  • CVE-2023-54345HigMay 5, 2026
    risk 0.57cvss 8.8epss 0.01

    Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script…

  • CVE-2018-3885HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The order_by parameter can be used to perform an SQL injection attack. An attacker can use a…

  • CVE-2018-3884HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The sort_by and start parameter can be used to perform an SQL injection attack. An attacker can…

  • CVE-2018-3883HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The employee and sort_order parameter can be used to perform an SQL injection attack. An attacker…

  • CVE-2018-3882HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The searchfield parameter can be used to perform an SQL injection attack. An attacker can use a…

  • CVE-2026-44447HigMay 13, 2026
    risk 0.50cvss 8.8epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 16.9.0.

  • CVE-2026-44446HigMay 13, 2026
    risk 0.50cvss 8.8epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is…

  • CVE-2018-11339MedMay 22, 2018
    risk 0.43cvss 6.1epss 0.04

    An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.

  • CVE-2026-38432MedMay 5, 2026
    risk 0.40cvss 6.1epss 0.00

    ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied.

  • CVE-2026-44445MedMay 13, 2026
    risk 0.35cvss 6.5epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enables an authenticated attacker to read files from the local file system,…

  • CVE-2026-44440MedMay 13, 2026
    risk 0.35cvss 6.5epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability on an endpoint allows an authenticated adjacent attacker to read arbitrary files.…

  • CVE-2026-42840MedJun 3, 2026
    risk 0.33cvss epss 0.00

    An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0.

  • CVE-2026-44441MedMay 13, 2026
    risk 0.33cvss 5.0epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in…

  • CVE-2026-42839MedJun 3, 2026
    risk 0.31cvss epss 0.00

    An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a…

  • CVE-2026-44448MedMay 13, 2026
    risk 0.31cvss 5.9epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 15.102.0 and 16.11.0.

  • CVE-2025-28062May 5, 2025
    risk 0.03cvss epss 0.01

    A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.

  • CVE-2022-28598Aug 22, 2022
    risk 0.03cvss epss 0.05

    Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.

Page 1 of 3