Erpnext
by Frappe
Source repositories
CVEs (58)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-32954 | 0.00 | — | 0.00 | Mar 20, 2026 | ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database… | |||
| CVE-2026-27471 | 0.00 | — | 0.00 | Feb 21, 2026 | ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1. | |||
| CVE-2025-65923 | 0.00 | — | 0.00 | Feb 3, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and… | |||
| CVE-2025-65924 | 0.00 | — | 0.00 | Feb 3, 2026 | ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can… | |||
| CVE-2025-67289 | 0.00 | — | 0.00 | Dec 22, 2025 | An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file. | |||
| CVE-2025-66439 | 0.00 | — | 0.00 | Dec 15, 2025 | An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doctype.payment_entry.payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL… | |||
| CVE-2025-66440 | 0.00 | — | 0.00 | Dec 15, 2025 | An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doctype/payment_entry/payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL… | |||
| CVE-2025-66437 | 0.00 | — | 0.01 | Dec 15, 2025 | An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict parameter, which can be either a… | |||
| CVE-2025-66436 | 0.00 | — | 0.00 | Dec 15, 2025 | An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (terms) using frappe.render_template() with a user-supplied context (doc). Although… | |||
| CVE-2025-66438 | 0.00 | — | 0.00 | Dec 15, 2025 | A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of the html field inside a Print Format document using… | |||
| CVE-2025-66435 | 0.00 | — | 0.00 | Dec 15, 2025 | An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (contract_terms) using frappe.render_template() with a user-supplied context (doc).… | |||
| CVE-2025-66434 | 0.00 | — | 0.01 | Dec 15, 2025 | An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() with a user-supplied context (doc).… | |||
| CVE-2025-65267 | 0.00 | — | 0.00 | Dec 3, 2025 | In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting… | |||
| CVE-2025-56381 | 0.00 | — | 0.00 | Oct 2, 2025 | ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters. | |||
| CVE-2025-56379 | 0.00 | — | 0.00 | Oct 2, 2025 | A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field. | |||
| CVE-2025-52041 | 0.00 | — | 0.00 | Oct 1, 2025 | In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the… | |||
| CVE-2025-52042 | 0.00 | — | 0.00 | Oct 1, 2025 | In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt… | |||
| CVE-2025-52039 | 0.00 | — | 0.00 | Oct 1, 2025 | In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the… | |||
| CVE-2025-52040 | 0.00 | — | 0.00 | Oct 1, 2025 | In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter. | |||
| CVE-2025-52050 | 0.00 | — | 0.00 | Sep 30, 2025 | In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the… |
- CVE-2026-32954Mar 20, 2026risk 0.00cvss —epss 0.00
ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database…
- CVE-2026-27471Feb 21, 2026risk 0.00cvss —epss 0.00
ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.
- CVE-2025-65923Feb 3, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and…
- CVE-2025-65924Feb 3, 2026risk 0.00cvss —epss 0.00
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can…
- CVE-2025-67289Dec 22, 2025risk 0.00cvss —epss 0.00
An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.
- CVE-2025-66439Dec 15, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doctype.payment_entry.payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL…
- CVE-2025-66440Dec 15, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doctype/payment_entry/payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL…
- CVE-2025-66437Dec 15, 2025risk 0.00cvss —epss 0.01
An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict parameter, which can be either a…
- CVE-2025-66436Dec 15, 2025risk 0.00cvss —epss 0.00
An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (terms) using frappe.render_template() with a user-supplied context (doc). Although…
- CVE-2025-66438Dec 15, 2025risk 0.00cvss —epss 0.00
A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of the html field inside a Print Format document using…
- CVE-2025-66435Dec 15, 2025risk 0.00cvss —epss 0.00
An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (contract_terms) using frappe.render_template() with a user-supplied context (doc).…
- CVE-2025-66434Dec 15, 2025risk 0.00cvss —epss 0.01
An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() with a user-supplied context (doc).…
- CVE-2025-65267Dec 3, 2025risk 0.00cvss —epss 0.00
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting…
- CVE-2025-56381Oct 2, 2025risk 0.00cvss —epss 0.00
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.
- CVE-2025-56379Oct 2, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field.
- CVE-2025-52041Oct 1, 2025risk 0.00cvss —epss 0.00
In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the…
- CVE-2025-52042Oct 1, 2025risk 0.00cvss —epss 0.00
In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt…
- CVE-2025-52039Oct 1, 2025risk 0.00cvss —epss 0.00
In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the…
- CVE-2025-52040Oct 1, 2025risk 0.00cvss —epss 0.00
In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter.
- CVE-2025-52050Sep 30, 2025risk 0.00cvss —epss 0.00
In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the…
Page 2 of 3