Skip to main content

Erpnext EUVD-2026-13547

| CVE-2026-32954 HIGH
SQL Injection (CWE-89)
2026-03-20 security-advisories@github.com
SQLi Erpnext
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:20 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
15.100.0,16.8.0
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13547
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 05:16 nvd
HIGH 7.1

DescriptionGitHub Advisory

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information. This issue has been fixed in versions 15.100.0 and 16.8.0.

AnalysisAI

A blind SQL injection vulnerability exists in ERPNext, a free and open-source Enterprise Resource Planning system, affecting versions prior to 15.100.0 and beta versions 16.0.0-beta.1 through 16.7.x. The vulnerability allows authenticated attackers with low-level privileges to perform time-based and boolean-based blind SQL injection attacks through insufficiently validated parameters on certain endpoints, enabling them to infer and extract sensitive database information. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to ERP application
Exploit
Send malicious SQL payload to vulnerable endpoint
Execution
Execute time-based blind SQL injection queries
Impact
Infer database structure and sensitive data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated user access to ERP versions prior to 16.8.0 and 15.100.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 7.1 (High) reflects network-accessible exploitation with low attack complexity, requiring only low privileges and no user interaction, with high confidentiality impact and low availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker with low-level user credentials (such as a basic employee account) accesses vulnerable ERPNext endpoints and submits crafted requests containing SQL injection payloads designed to manipulate the underlying database queries. By leveraging time-based injection techniques, the attacker measures response delays to infer whether specific conditions are true or false, systematically extracting sensitive information such as administrator credentials, financial data, customer records, or proprietary business information character by character. …
Remediation Organizations running ERPNext should immediately upgrade to version 15.100.0 or later for the version 15 release line, or to version 16.8.0 or later for those on version 16 beta releases, as documented in the official releases at https://github.com/frappe/erpnext/releases/tag/v15.100.0 and https://github.com/frappe/erpnext/releases/tag/v16.8.0. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all ERPNext instances and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-13547 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy