Skip to main content

ERPNext EUVD-2026-30194

| CVE-2026-44441 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-13 GitHub_M
SSRF Erpnext
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 11:14 vuln.today
Patch available
May 13, 2026 - 23:17 EUVD

DescriptionGitHub Advisory

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 15.106.0 and 16.16.0.

AnalysisAI

Server-Side Request Forgery (SSRF) in ERPNext allows an authenticated remote attacker to send a crafted request to a vulnerable endpoint, causing the ERPNext server to issue arbitrary outbound HTTP calls to attacker-controlled services. The CVSS Changed scope (S:C) indicates the impact extends beyond the application itself, enabling potential access to internal network resources, cloud metadata services, or other intranet endpoints not otherwise reachable by the attacker. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to ERPNext with low-privilege credentials
Delivery
Identify SSRF-vulnerable HTTP endpoint via source review or probing
Exploit
Craft request embedding attacker-controlled or internal-service URL
Execution
ERPNext server issues outbound HTTP call to target URL
Impact
Attacker receives response containing internal service data or credentials
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid ERPNext user account with at minimum low-privilege access, as confirmed by the CVSS PR:L vector - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.0 score reflects a medium-severity finding: network-reachable (AV:N), low complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), but with Changed scope (S:C) and only partial confidentiality impact (C:L) with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated ERPNext user with low-privilege access identifies the SSRF-vulnerable endpoint and submits a crafted request with a URL pointing to an internal cloud metadata service (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/). The ERPNext server, lacking proper URL validation, initiates the HTTP call and the attacker receives the response - potentially leaking IAM credentials, instance identity data, or internal API tokens. …
Remediation Upgrade ERPNext to version 15.106.0 or later on the v15 branch, or to version 16.16.0 or later on the v16 branch - these are the vendor-confirmed fixed releases per the security advisory at https://github.com/frappe/erpnext/security/advisories/GHSA-m4m4-j2m2-7fcw. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-30194 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy