What is the CVSS score of CVE-2026-44446?

CVE-2026-44446 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of ERPNext are affected by CVE-2026-44446?

ERPNext deployments running versions prior to 15.104.3 or 16.14.0 contain a SQL injection vulnerability allowing authenticated users to extract sensitive financial and operational data directly from…. A patch is available.

How to fix or mitigate CVE-2026-44446?

24 hours: Inventory all ERPNext instances and document current versions across production and non-production environments. 7 days: Deploy patches to ERPNext 15.104.3 (for 15.x installations) or 16.14.0 (for 16.x installations). 30 days: Validate patch deployment completion, review database access logs for suspicious SQL patterns from the prior 90 days, and confirm no lateral movement from affected systems.

ERPNext CVE-2026-44446

EUVD-2026-30197 HIGH

SQL Injection (CWE-89)

2026-05-13 GitHub_M

SQLi Erpnext

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 09:02 vuln.today

Patch available

May 13, 2026 - 23:17 EUVD

DescriptionGitHub Advisory

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 15.104.3 and 16.14.0.

AnalysisAI

SQL injection in ERPNext (Frappe's open-source ERP platform) prior to 15.104.3 and 16.14.0 allows authenticated remote attackers to extract sensitive database contents by sending crafted requests to vulnerable endpoints. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, though EPSS sits at 0.04% and SSVC reports no observed exploitation, indicating this is a high-severity but currently unexploited issue. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain low-privileged ERPNext account

Delivery

Identify vulnerable endpoint

Exploit

Send crafted HTTP request with SQL payload

Execution

Inject query into backend MariaDB

Persist

Exfiltrate sensitive table data

Impact

Pivot using harvested credentials or keys

Access

Obtain low-privileged ERPNext account

Delivery

Identify vulnerable endpoint

Exploit

Send crafted HTTP request with SQL payload

Execution

Inject query into backend MariaDB

Persist

Exfiltrate sensitive table data

Impact

Pivot using harvested credentials or keys

Vulnerability AssessmentAI

Exploitation	Attacker must possess valid authentication credentials to the ERPNext instance (CVSS PR:L), meaning self-service signup, leaked credentials, or insider access is the prerequisite - pure unauthenticated exploitation is not indicated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are mixed and warrant nuanced prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers or compromises a low-privileged ERPNext account - for example a customer or supplier portal user on an internet-facing instance - then sends a crafted HTTP request to one of the vulnerable endpoints with malicious SQL syntax embedded in a parameter. The injected query extracts sensitive table contents such as user password hashes, API keys, financial records, or PII directly from the MariaDB backend. …
Remediation	Vendor-released patch: upgrade to ERPNext 15.104.3 (for the 15.x branch) or 16.14.0 (for the 16.x branch) as documented in the upstream advisory at https://github.com/frappe/erpnext/security/advisories/GHSA-6fm9-g88m-hxr7. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all ERPNext instances and document current versions across production and non-production environments. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-44446 vulnerability details – vuln.today

Back

ERPNext CVE-2026-44446

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code