CVE-2026-38431
published 2026-05-05CVE-2026-38431: ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject…
PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.39%
30.8th percentile
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frappe | erpnext | <= 15.103.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qwh3-h35h-9j9f: ERPNext v15
ghsa_unreviewed·2026-05-05
CVE-2026-38431 [CRITICAL] CWE-94 GHSA-qwh3-h35h-9j9f: ERPNext v15
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.
VulDB
Frappe ERPNext up to 15.103.1 Template Expression special elements used in a template engine
vuldb·2026-05-05
CVE-2026-38431 [CRITICAL] Frappe ERPNext up to 15.103.1 Template Expression special elements used in a template engine
A vulnerability has been found in Frappe ERPNext up to 15.103.1 and classified as critical. The impacted element is an unknown function of the component Template Expression Handler. Performing a manipulation results in improper neutralization of special elements used in a template engine.
This vulnerability was named CVE-2026-38431. The attack may be initiated remotely. There is no available exploit.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-05
Published