Erpnext
Monthly
Stored cross-site scripting in ERPNext 16.16.0 allows an authenticated user holding Item record edit permissions to persist malicious HTML/JavaScript in the item_name, description, or image fields, which executes unescaped in the Point of Sale (POS) cart interface for any operator who subsequently adds that item to a transaction. Reported by Fluid Attacks (EUVD-2026-34158), this is a stored XSS with lateral impact across all POS operator sessions exposed to the poisoned item record. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; the CVSS 4.0 score of 4.8 reflects the constrained attack surface imposed by high privilege prerequisites and required passive user interaction.
Stored cross-site scripting in ERPNext 16.16.0 allows authenticated users to inject arbitrary HTML and JavaScript into the email_id or mobile_no fields of Customer records, which execute silently in the browser of every Point of Sale (POS) operator who subsequently selects the poisoned customer. Because the payload persists in the database, a single injection event affects all future POS operator sessions that encounter that customer - creating a multiplier effect without requiring repeated attacker access. No public exploit code or CISA KEV listing exists at time of analysis; EPSS data was not provided in available intelligence sources.
Insufficient authorization enforcement on specific ERPNext endpoints allows authenticated low-privilege users to read sensitive data beyond their permitted role and make limited unauthorized data modifications. Affecting all ERPNext deployments prior to 15.102.0 (v15 branch) and prior to 16.11.0 (v16 branch), an attacker holding any valid user account can invoke unprotected server-side endpoints to access restricted records or alter data outside their role scope. No public exploit code exists and SSVC confirms no active exploitation, but the high confidentiality impact (CVSS C:H) warrants prompt patching - particularly on internet-exposed ERPNext instances where low-privilege accounts may be broadly distributed.
SQL injection in ERPNext versions prior to 16.9.0 allows authenticated remote attackers to extract sensitive data by sending specially crafted requests to vulnerable endpoints. The Frappe-maintained ERP platform requires low-privileged authentication (PR:L) but has high impact on confidentiality, integrity, and availability per CVSS 8.8. No public exploit identified at time of analysis, and EPSS probability is very low (0.04%).
SQL injection in ERPNext (Frappe's open-source ERP platform) prior to 15.104.3 and 16.14.0 allows authenticated remote attackers to extract sensitive database contents by sending crafted requests to vulnerable endpoints. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, though EPSS sits at 0.04% and SSVC reports no observed exploitation, indicating this is a high-severity but currently unexploited issue. No public exploit identified at time of analysis.
XML External Entity (XXE) injection in ERPNext's EDI Module allows authenticated low-privilege attackers to read arbitrary files from the server's local filesystem, including sensitive configuration files that may contain database credentials or API keys. Affected are all ERPNext installations on the v15 branch prior to 15.104.3 and on the v16 branch prior to 16.12.0 (cpe:2.3:a:frappe:erpnext:*). No public exploit identified at time of analysis, EPSS exploitation probability sits at 0.06% (18th percentile), and CISA SSVC assesses exploitation as none and the attack as non-automatable - collectively placing this at lower operational priority despite its network-accessible attack vector.
Server-Side Request Forgery (SSRF) in ERPNext allows an authenticated remote attacker to send a crafted request to a vulnerable endpoint, causing the ERPNext server to issue arbitrary outbound HTTP calls to attacker-controlled services. The CVSS Changed scope (S:C) indicates the impact extends beyond the application itself, enabling potential access to internal network resources, cloud metadata services, or other intranet endpoints not otherwise reachable by the attacker. Vendor-released patches exist in versions 15.106.0 and 16.16.0; no active exploitation has been confirmed (not listed in CISA KEV) and EPSS sits at a very low 0.02%.
Path traversal in ERPNext exposes arbitrary server files to authenticated low-privileged users via a vulnerable endpoint that fails to restrict directory access. Affected versions are ERPNext prior to 15.101.1 and the 16.x beta line prior to 16.10.0, packaged under CPE cpe:2.3:a:frappe:erpnext. An attacker with a valid account can craft a request to read sensitive files outside the intended directory scope, resulting in full confidentiality compromise of the host filesystem. No public exploit identified at time of analysis, and CISA SSVC signals no active exploitation.
Privilege escalation in ERPNext versions prior to 16.9.1 allows authenticated low-privileged users to modify data outside their assigned role due to missing authorization checks on certain endpoints. The flaw carries a CVSS 9.9 score with scope change, but EPSS is only 0.04% and CISA SSVC reports no observed exploitation, indicating no public exploit identified at time of analysis. The vendor (Frappe) has released a patched version 16.9.1 alongside GHSA-cg5w-7g26-p3w9.
A blind SQL injection vulnerability exists in ERPNext, a free and open-source Enterprise Resource Planning system, affecting versions prior to 15.100.0 and beta versions 16.0.0-beta.1 through 16.7.x. The vulnerability allows authenticated attackers with low-level privileges to perform time-based and boolean-based blind SQL injection attacks through insufficiently validated parameters on certain endpoints, enabling them to infer and extract sensitive database information. This is tagged as an SQLi vulnerability and has been assigned EUVD-2026-13547 by ENISA, with patches available in versions 15.100.0 and 16.8.0.
Missing authorization in ERPNext ERP before 15.98.0/16.6.0. Patch available.
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. [CVSS 4.1 MEDIUM]
A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. [CVSS 5.4 MEDIUM]
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.
Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter
A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field.
In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt parameter.
In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the inventory_dimensions_dict parameter.
In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter.
In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the txt parameter.
In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
ERP is a free and open source Enterprise Resource Planning tool. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting in ERPNext 16.16.0 allows an authenticated user holding Item record edit permissions to persist malicious HTML/JavaScript in the item_name, description, or image fields, which executes unescaped in the Point of Sale (POS) cart interface for any operator who subsequently adds that item to a transaction. Reported by Fluid Attacks (EUVD-2026-34158), this is a stored XSS with lateral impact across all POS operator sessions exposed to the poisoned item record. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; the CVSS 4.0 score of 4.8 reflects the constrained attack surface imposed by high privilege prerequisites and required passive user interaction.
Stored cross-site scripting in ERPNext 16.16.0 allows authenticated users to inject arbitrary HTML and JavaScript into the email_id or mobile_no fields of Customer records, which execute silently in the browser of every Point of Sale (POS) operator who subsequently selects the poisoned customer. Because the payload persists in the database, a single injection event affects all future POS operator sessions that encounter that customer - creating a multiplier effect without requiring repeated attacker access. No public exploit code or CISA KEV listing exists at time of analysis; EPSS data was not provided in available intelligence sources.
Insufficient authorization enforcement on specific ERPNext endpoints allows authenticated low-privilege users to read sensitive data beyond their permitted role and make limited unauthorized data modifications. Affecting all ERPNext deployments prior to 15.102.0 (v15 branch) and prior to 16.11.0 (v16 branch), an attacker holding any valid user account can invoke unprotected server-side endpoints to access restricted records or alter data outside their role scope. No public exploit code exists and SSVC confirms no active exploitation, but the high confidentiality impact (CVSS C:H) warrants prompt patching - particularly on internet-exposed ERPNext instances where low-privilege accounts may be broadly distributed.
SQL injection in ERPNext versions prior to 16.9.0 allows authenticated remote attackers to extract sensitive data by sending specially crafted requests to vulnerable endpoints. The Frappe-maintained ERP platform requires low-privileged authentication (PR:L) but has high impact on confidentiality, integrity, and availability per CVSS 8.8. No public exploit identified at time of analysis, and EPSS probability is very low (0.04%).
SQL injection in ERPNext (Frappe's open-source ERP platform) prior to 15.104.3 and 16.14.0 allows authenticated remote attackers to extract sensitive database contents by sending crafted requests to vulnerable endpoints. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, though EPSS sits at 0.04% and SSVC reports no observed exploitation, indicating this is a high-severity but currently unexploited issue. No public exploit identified at time of analysis.
XML External Entity (XXE) injection in ERPNext's EDI Module allows authenticated low-privilege attackers to read arbitrary files from the server's local filesystem, including sensitive configuration files that may contain database credentials or API keys. Affected are all ERPNext installations on the v15 branch prior to 15.104.3 and on the v16 branch prior to 16.12.0 (cpe:2.3:a:frappe:erpnext:*). No public exploit identified at time of analysis, EPSS exploitation probability sits at 0.06% (18th percentile), and CISA SSVC assesses exploitation as none and the attack as non-automatable - collectively placing this at lower operational priority despite its network-accessible attack vector.
Server-Side Request Forgery (SSRF) in ERPNext allows an authenticated remote attacker to send a crafted request to a vulnerable endpoint, causing the ERPNext server to issue arbitrary outbound HTTP calls to attacker-controlled services. The CVSS Changed scope (S:C) indicates the impact extends beyond the application itself, enabling potential access to internal network resources, cloud metadata services, or other intranet endpoints not otherwise reachable by the attacker. Vendor-released patches exist in versions 15.106.0 and 16.16.0; no active exploitation has been confirmed (not listed in CISA KEV) and EPSS sits at a very low 0.02%.
Path traversal in ERPNext exposes arbitrary server files to authenticated low-privileged users via a vulnerable endpoint that fails to restrict directory access. Affected versions are ERPNext prior to 15.101.1 and the 16.x beta line prior to 16.10.0, packaged under CPE cpe:2.3:a:frappe:erpnext. An attacker with a valid account can craft a request to read sensitive files outside the intended directory scope, resulting in full confidentiality compromise of the host filesystem. No public exploit identified at time of analysis, and CISA SSVC signals no active exploitation.
Privilege escalation in ERPNext versions prior to 16.9.1 allows authenticated low-privileged users to modify data outside their assigned role due to missing authorization checks on certain endpoints. The flaw carries a CVSS 9.9 score with scope change, but EPSS is only 0.04% and CISA SSVC reports no observed exploitation, indicating no public exploit identified at time of analysis. The vendor (Frappe) has released a patched version 16.9.1 alongside GHSA-cg5w-7g26-p3w9.
A blind SQL injection vulnerability exists in ERPNext, a free and open-source Enterprise Resource Planning system, affecting versions prior to 15.100.0 and beta versions 16.0.0-beta.1 through 16.7.x. The vulnerability allows authenticated attackers with low-level privileges to perform time-based and boolean-based blind SQL injection attacks through insufficiently validated parameters on certain endpoints, enabling them to infer and extract sensitive database information. This is tagged as an SQLi vulnerability and has been assigned EUVD-2026-13547 by ENISA, with patches available in versions 15.100.0 and 16.8.0.
Missing authorization in ERPNext ERP before 15.98.0/16.6.0. Patch available.
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. [CVSS 4.1 MEDIUM]
A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. [CVSS 5.4 MEDIUM]
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.
Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter
A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field.
In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt parameter.
In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the inventory_dimensions_dict parameter.
In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter.
In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the txt parameter.
In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
ERP is a free and open source Enterprise Resource Planning tool. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.