Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Web-facing authenticated field yields AV:N/AC:L/PR:L/UI:N; the described impact is cross-scope data disclosure (S:C, C:H) with only incidental integrity and no availability effect.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.111.0 and 16.22.0, an authenticated user with a standard operational role can trigger server-side template injection through a configuration field, resulting in unauthorized disclosure of data outside the user's normal permission scope. This issue is fixed in versions 15.111.0 and 16.22.0.
AnalysisAI
Server-side template injection in Frappe ERPNext (versions before 15.111.0 and 16.22.0) lets an authenticated user holding only a standard operational role inject a malicious template payload into a configuration field, causing the server to render it and disclose data the user is not authorized to see. Because the flaw is rooted in an authorization failure (CWE-863), it effectively bypasses ERPNext's role/permission boundaries. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account with a standard/low-privilege operational role (CVSS PR:L) and the ability to submit input into a specific ERPNext configuration field that is rendered by the server-side template engine - that templated configuration field is the exact required feature. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 score is 8.8 (High) with vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, driven largely by the scope change and triple high impacts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A disgruntled or compromised employee with a routine ERPNext operational login opens a configuration field that feeds the template engine and enters a crafted template expression instead of normal text. When the server renders that field, the payload executes in ERPNext's context and returns records - such as HR, financial, or other departments' data - that the employee's role should never be able to read. … |
| Remediation | Vendor-released patch: upgrade to ERPNext 15.111.0 if on the 15.x branch, or to 16.22.0 if on the 16.x branch, per advisory GHSA-pxf3-4gvc-v45j (https://github.com/frappe/erpnext/security/advisories/GHSA-pxf3-4gvc-v45j). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all ERPNext instances and document which are running versions before 15.111.0 or 16.22.0; review access logs for suspicious activity from operational users in configuration fields. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. Rated high sev
In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/re
In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reco
In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Inje
In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_requ
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. Rated high severity (CV
In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, w
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44704