Erpnext
by Frappe
Source repositories
CVEs (58)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-52047 | 0.00 | — | 0.00 | Sep 30, 2025 | In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled parameter. | |||
| CVE-2025-52049 | 0.00 | — | 0.00 | Sep 30, 2025 | In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter. | |||
| CVE-2025-52043 | 0.00 | — | 0.00 | Sep 30, 2025 | In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL query into the company… | |||
| CVE-2025-52044 | 0.00 | — | 0.00 | Sep 16, 2025 | In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into inventory_dimensions_dict parameter. | |||
| CVE-2025-58439 | 0.00 | — | 0.00 | Sep 6, 2025 | ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation of parameters left certain endpoints vulnerable to error-based SQL Injection. Some information like version could be retrieved. This issue is… | |||
| CVE-2022-23055 | 0.00 | — | 0.01 | Jun 22, 2022 | In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker… | |||
| CVE-2022-23058 | 0.00 | — | 0.01 | Jun 22, 2022 | ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover. | |||
| CVE-2022-23056 | 0.00 | — | 0.01 | Jun 22, 2022 | In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack. | |||
| CVE-2022-23057 | 0.00 | — | 0.01 | Jun 22, 2022 | In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile. | |||
| CVE-2020-6145 | 0.00 | — | 0.02 | Aug 10, 2020 | An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||
| CVE-2019-20521 | 0.00 | — | 0.01 | Mar 19, 2020 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI. | |||
| CVE-2019-20520 | 0.00 | — | 0.01 | Mar 19, 2020 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI. | |||
| CVE-2019-20519 | 0.00 | — | 0.01 | Mar 19, 2020 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address. | |||
| CVE-2019-20518 | 0.00 | — | 0.01 | Mar 19, 2020 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI. | |||
| CVE-2019-20517 | 0.00 | — | 0.01 | Mar 19, 2020 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI. | |||
| CVE-2019-20514 | 0.00 | — | 0.01 | Mar 19, 2020 | ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI. | |||
| CVE-2019-20511 | 0.00 | — | 0.01 | Mar 18, 2020 | ERPNext 11.1.47 allows blog?blog_category= Frame Injection. | |||
| CVE-2018-20061 | 0.00 | — | 0.01 | Dec 11, 2018 | A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a… |
- CVE-2025-52047Sep 30, 2025risk 0.00cvss —epss 0.00
In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled parameter.
- CVE-2025-52049Sep 30, 2025risk 0.00cvss —epss 0.00
In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter.
- CVE-2025-52043Sep 30, 2025risk 0.00cvss —epss 0.00
In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL query into the company…
- CVE-2025-52044Sep 16, 2025risk 0.00cvss —epss 0.00
In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into inventory_dimensions_dict parameter.
- CVE-2025-58439Sep 6, 2025risk 0.00cvss —epss 0.00
ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation of parameters left certain endpoints vulnerable to error-based SQL Injection. Some information like version could be retrieved. This issue is…
- CVE-2022-23055Jun 22, 2022risk 0.00cvss —epss 0.01
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker…
- CVE-2022-23058Jun 22, 2022risk 0.00cvss —epss 0.01
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
- CVE-2022-23056Jun 22, 2022risk 0.00cvss —epss 0.01
In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.
- CVE-2022-23057Jun 22, 2022risk 0.00cvss —epss 0.01
In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.
- CVE-2020-6145Aug 10, 2020risk 0.00cvss —epss 0.02
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
- CVE-2019-20521Mar 19, 2020risk 0.00cvss —epss 0.01
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.
- CVE-2019-20520Mar 19, 2020risk 0.00cvss —epss 0.01
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.
- CVE-2019-20519Mar 19, 2020risk 0.00cvss —epss 0.01
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.
- CVE-2019-20518Mar 19, 2020risk 0.00cvss —epss 0.01
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.
- CVE-2019-20517Mar 19, 2020risk 0.00cvss —epss 0.01
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.
- CVE-2019-20514Mar 19, 2020risk 0.00cvss —epss 0.01
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.
- CVE-2019-20511Mar 18, 2020risk 0.00cvss —epss 0.01
ERPNext 11.1.47 allows blog?blog_category= Frame Injection.
- CVE-2018-20061Dec 11, 2018risk 0.00cvss —epss 0.01
A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a…
Page 3 of 3