VYPR

Erpnext

by Frappe

Source repositories

CVEs (58)

  • CVE-2025-52047Sep 30, 2025
    risk 0.00cvss epss 0.00

    In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled parameter.

  • CVE-2025-52049Sep 30, 2025
    risk 0.00cvss epss 0.00

    In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter.

  • CVE-2025-52043Sep 30, 2025
    risk 0.00cvss epss 0.00

    In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL query into the company…

  • CVE-2025-52044Sep 16, 2025
    risk 0.00cvss epss 0.00

    In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into inventory_dimensions_dict parameter.

  • CVE-2025-58439Sep 6, 2025
    risk 0.00cvss epss 0.00

    ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation of parameters left certain endpoints vulnerable to error-based SQL Injection. Some information like version could be retrieved. This issue is…

  • CVE-2022-23055Jun 22, 2022
    risk 0.00cvss epss 0.01

    In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker…

  • CVE-2022-23058Jun 22, 2022
    risk 0.00cvss epss 0.01

    ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.

  • CVE-2022-23056Jun 22, 2022
    risk 0.00cvss epss 0.01

    In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.

  • CVE-2022-23057Jun 22, 2022
    risk 0.00cvss epss 0.01

    In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.

  • CVE-2020-6145Aug 10, 2020
    risk 0.00cvss epss 0.02

    An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

  • CVE-2019-20521Mar 19, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.

  • CVE-2019-20520Mar 19, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.

  • CVE-2019-20519Mar 19, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.

  • CVE-2019-20518Mar 19, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.

  • CVE-2019-20517Mar 19, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.

  • CVE-2019-20514Mar 19, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.

  • CVE-2019-20511Mar 18, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows blog?blog_category= Frame Injection.

  • CVE-2018-20061Dec 11, 2018
    risk 0.00cvss epss 0.01

    A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a…

Page 3 of 3