Skip to main content

ERPNext CVE-2026-44445

| EUVD-2026-30196 MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2026-05-13 GitHub_M
XXE Erpnext
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 11:13 vuln.today
Patch available
May 13, 2026 - 23:17 EUVD
CVSS changed
May 13, 2026 - 22:22 NVD
5.3 (MEDIUM)
CVE Published
May 13, 2026 - 21:17 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enables an authenticated attacker to read files from the local file system, including sensitive configuration files. This vulnerability is fixed in 15.104.3 and 16.12.0.

AnalysisAI

XML External Entity (XXE) injection in ERPNext's EDI Module allows authenticated low-privilege attackers to read arbitrary files from the server's local filesystem, including sensitive configuration files that may contain database credentials or API keys. Affected are all ERPNext installations on the v15 branch prior to 15.104.3 and on the v16 branch prior to 16.12.0 (cpe:2.3:a:frappe:erpnext:*). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege ERPNext credentials
Delivery
Access EDI Module via authenticated session
Exploit
Craft XML document with XXE external entity payload referencing target file
Execution
Submit document for processing
Persist
Server XML parser resolves external entity and reads local file
Impact
Retrieve sensitive config data (credentials, secret keys) from response
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Authentication is required: the CVSS 4.0 vector specifies PR:L (low-privilege authenticated access), meaning an attacker must hold a valid ERPNext account of any role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) reflects a network-reachable (AV:N), low-complexity (AC:L), no-prerequisite-condition (AT:N) attack requiring only low-privilege authentication (PR:L) with no user interaction (UI:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid low-privilege ERPNext account - such as a supplier portal user or a recently on-boarded employee - navigates to the EDI Module and submits a crafted XML document containing an external entity declaration referencing a local file path such as /home/frappe/frappe-bench/sites/[site]/site_config.json. The server's XML parser resolves the entity and the application returns the file's contents in its response, exposing the database password and Frappe secret key stored in that configuration file. …
Remediation Upgrade ERPNext to version 15.104.3 (v15 branch) or 16.12.0 (v16 branch) as the primary remediation; these are the vendor-confirmed fixed releases per GitHub Security Advisory GHSA-mhm9-75w7-423r (https://github.com/frappe/erpnext/security/advisories/GHSA-mhm9-75w7-423r). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44445 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy