Skip to main content

ERPNext EUVDEUVD-2026-44704

| CVE-2026-55242 HIGH
Incorrect Authorization (CWE-863)
2026-07-15 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.5 HIGH

Web-facing authenticated field yields AV:N/AC:L/PR:L/UI:N; the described impact is cross-scope data disclosure (S:C, C:H) with only incidental integrity and no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 17:48 EUVD
Analysis Generated
Jul 15, 2026 - 16:17 vuln.today
CVE Published
Jul 15, 2026 - 15:38 cve.org
HIGH 8.8

DescriptionCVE.org

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.111.0 and 16.22.0, an authenticated user with a standard operational role can trigger server-side template injection through a configuration field, resulting in unauthorized disclosure of data outside the user's normal permission scope. This issue is fixed in versions 15.111.0 and 16.22.0.

AnalysisAI

Server-side template injection in Frappe ERPNext (versions before 15.111.0 and 16.22.0) lets an authenticated user holding only a standard operational role inject a malicious template payload into a configuration field, causing the server to render it and disclose data the user is not authorized to see. Because the flaw is rooted in an authorization failure (CWE-863), it effectively bypasses ERPNext's role/permission boundaries. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with standard operational role
Delivery
Open templated configuration field
Exploit
Inject template expression payload
Execution
Server renders template server-side
Impact
Read data outside permission scope

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account with a standard/low-privilege operational role (CVSS PR:L) and the ability to submit input into a specific ERPNext configuration field that is rendered by the server-side template engine - that templated configuration field is the exact required feature. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 score is 8.8 (High) with vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, driven largely by the scope change and triple high impacts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A disgruntled or compromised employee with a routine ERPNext operational login opens a configuration field that feeds the template engine and enters a crafted template expression instead of normal text. When the server renders that field, the payload executes in ERPNext's context and returns records - such as HR, financial, or other departments' data - that the employee's role should never be able to read. …
Remediation Vendor-released patch: upgrade to ERPNext 15.111.0 if on the 15.x branch, or to 16.22.0 if on the 16.x branch, per advisory GHSA-pxf3-4gvc-v45j (https://github.com/frappe/erpnext/security/advisories/GHSA-pxf3-4gvc-v45j). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all ERPNext instances and document which are running versions before 15.111.0 or 16.22.0; review access logs for suspicious activity from operational users in configuration fields. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-67289 CRITICAL POC
9.6 Dec 22

Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on

CVE-2018-3885 HIGH POC
8.8 Sep 12

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS

CVE-2018-3884 HIGH POC
8.8 Sep 12

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS

CVE-2018-3883 HIGH POC
8.8 Sep 12

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS

CVE-2018-3882 HIGH POC
8.8 Sep 12

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS

CVE-2020-6145 HIGH POC
8.8 Aug 10

An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. Rated high sev

CVE-2025-52042 HIGH POC
8.2 Oct 01

In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/re

CVE-2025-52041 HIGH POC
8.2 Oct 01

In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reco

CVE-2025-52040 HIGH POC
8.2 Oct 01

In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Inje

CVE-2025-52039 HIGH POC
8.2 Oct 01

In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_requ

CVE-2025-28062 HIGH POC
8.1 May 05

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. Rated high severity (CV

CVE-2025-52044 HIGH POC
7.5 Sep 16

In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, w

Share

EUVD-2026-44704 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy