Skip to main content

ERPNext CVE-2026-38431

| EUVD-2026-27402 CRITICAL
Code Injection (CWE-94)
2026-05-05 mitre GHSA-qwh3-h35h-9j9f
RCE Code Injection
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 06, 2026 - 18:30 vuln.today
CVSS changed
May 06, 2026 - 16:22 NVD
9.8 (CRITICAL)

DescriptionNVD

ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.

AnalysisAI

Server-Side Template Injection in ERPNext v15.103.1 and earlier allows remote code execution through malicious email templates. Attackers with email template editing permissions can inject Jinja2 expressions that execute arbitrary Python code on the server when templates are rendered. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all ERPNext instances running v15.103.1 or earlier and document current version inventory; restrict email template editing permissions to a minimal trusted group and implement approval workflows for template changes. Within 7 days: Disable email template functionality if not actively required, or isolate affected systems from production networks pending vendor patch availability. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-38431 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy