Frappe Erpnext vulnerabilities
61 known vulnerabilities affecting frappe/erpnext.
Total CVEs
61
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH21MEDIUM31LOW2
Vulnerabilities
Page 1 of 4
CVE-2025-28062P3HIGHCVSS 8.1PoCv14.74.3v14.82.12025-05-05
CVE-2025-28062 [HIGH] CWE-352 CVE-2025-28062: A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.
nvd
CVE-2026-44442P2CRITICALCVSS 9.9fixed in 16.9.12026-05-13
CVE-2026-44442 [CRITICAL] CWE-862 CVE-2026-44442: ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoi
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1.
nvd
CVE-2025-66434P2HIGHCVSS 8.8≤ 15.89.02025-12-15
CVE-2025-66434 [HIGH] CWE-94 CVE-2025-66434: An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method
An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such
nvd
CVE-2023-54345P2HIGHCVSS 8.8v13.4.02026-05-05
CVE-2023-54345 [HIGH] CWE-94 CVE-2023-54345: Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that all
Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the gi_frame attribute to traverse the call stack and invoke
nvd
CVE-2022-28598P3MEDIUMCVSS 6.1PoCv12.29.02022-08-22
CVE-2022-28598 [MEDIUM] CWE-79 CVE-2022-28598: Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly ne
Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.
nvd
CVE-2018-11339P3MEDIUMCVSS 6.1PoCv11.x.x-develop_b1036e52018-05-22
CVE-2018-11339 [MEDIUM] CWE-79 CVE-2018-11339: An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.
An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.
nvd
CVE-2025-66437P3HIGHCVSS 8.8≤ 15.89.02025-12-15
CVE-2025-66437 [HIGH] CWE-94 CVE-2025-66437: An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of F
An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict parameter, which can be either a dictionary or a string referencing an Address document. Although ERPNext u
nvd
CVE-2025-66440P3HIGHCVSS 8.8≤ 15.89.02025-12-15
CVE-2025-66440 [HIGH] CWE-89 CVE-2025-66440: An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_docume
An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doctype/payment_entry/payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the to_posting_date parameter, which is directly interpolated
nvd
CVE-2025-66439P3HIGHCVSS 8.8≤ 15.89.02025-12-15
CVE-2025-66439 [HIGH] CWE-89 CVE-2025-66439: An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_docume
An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doctype.payment_entry.payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the from_posting_date parameter, which is directly interpolat
nvd
CVE-2026-27471P3CRITICALCVSS 9.1fixed in 15.98.1fixed in 16.6.1+2 more2026-02-21
CVE-2026-27471 [CRITICAL] CWE-284 CVE-2026-27471: ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.
ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.
nvd
CVE-2026-38431P3CRITICALCVSS 9.8≤ 15.103.12026-05-05
CVE-2026-38431 [CRITICAL] CWE-94 CVE-2026-38431: ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker wit
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.
nvd
CVE-2025-58439P3CRITICALCVSS 9.1fixed in 14.89.2≥ 15.0.0, < 15.76.0+1 more2025-09-06
CVE-2025-58439 [CRITICAL] CWE-89 CVE-2025-58439: ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.
ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation of parameters left certain endpoints vulnerable to error-based SQL Injection. Some information like version could be retrieved. This issue is fixed in versions 14.89.2 and 15.76.0.
nvd
CVE-2026-31017P3CRITICALCVSS 9.1v16.0.12026-04-08
CVE-2026-31017 [CRITICAL] CWE-918 CVE-2026-31017: A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNe
A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as that
nvd
CVE-2025-66438P3HIGHCVSS 8.8≤ 15.89.02025-12-15
CVE-2025-66438 [HIGH] CWE-94 CVE-2025-66438: A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 P
A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of the html field inside a Print Format document using frappe.render_template(template, doc) via the get_rendered_template() call chai
nvd
CVE-2025-67289P3CRITICALCVSS 9.6v15.89.02025-12-22
CVE-2025-67289 [CRITICAL] CWE-79 CVE-2025-67289: An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows
An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.
nvd
CVE-2020-6145P3HIGHCVSS 8.8v11.1.38vERPNext 11.1.382020-08-10
CVE-2020-6145 [HIGH] CWE-89 CVE-2020-6145: An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
nvd
CVE-2025-52041P3HIGHCVSS 8.2v15.57.52025-10-01
CVE-2025-52041 [HIGH] CWE-89 CVE-2025-52041: In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_recon
In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the inventory_dimensions_dict parameter.
nvd
CVE-2025-52039P3HIGHCVSS 8.2v15.57.52025-10-01
CVE-2025-52039 [HIGH] CWE-89 CVE-2025-52039: In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/d
In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the txt parameter.
nvd
CVE-2025-52040P3HIGHCVSS 8.2v15.57.52025-10-01
CVE-2025-52040 [HIGH] CWE-89 CVE-2025-52040: In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vu
In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter.
nvd
CVE-2025-52042P3HIGHCVSS 8.2v15.57.52025-10-01
CVE-2025-52042 [HIGH] CWE-89 CVE-2025-52042: In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/requ
In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt parameter.
nvd
1 / 4Next →