Frappe Erpnext vulnerabilities
61 known vulnerabilities affecting frappe/erpnext.
Total CVEs
61
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH21MEDIUM31LOW2
Vulnerabilities
Page 3 of 4
CVE-2025-66435P4MEDIUMCVSS 4.3≤ 15.89.02025-12-15
CVE-2025-66435 [MEDIUM] CWE-94 CVE-2025-66435: An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of
An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (contract_terms) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals
nvd
CVE-2025-66436P4MEDIUMCVSS 4.3≤ 15.89.02025-12-15
CVE-2025-66436 [MEDIUM] CWE-94 CVE-2025-66436: An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method
An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (terms) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such
nvd
CVE-2019-20511P4MEDIUMCVSS 6.1v11.1.472020-03-18
CVE-2019-20511 [MEDIUM] CWE-79 CVE-2019-20511: ERPNext 11.1.47 allows blog?blog_category= Frame Injection.
ERPNext 11.1.47 allows blog?blog_category= Frame Injection.
nvd
CVE-2025-65923P4MEDIUMCVSS 5.4≤ 15.88.12026-02-03
CVE-2025-65923 [MEDIUM] CWE-79 CVE-2025-65923: A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of
A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the affected record is viewed by a user within the ERPNext we
nvd
CVE-2026-38432P4MEDIUMCVSS 6.1≤ 15.103.12026-05-05
CVE-2026-38432 [MEDIUM] CWE-79 CVE-2026-38432: ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engin
ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied.
nvd
CVE-2022-23055P4MEDIUMCVSS 5.5≥ 11.0.4, < 13.1.0v11.0.32022-06-22
CVE-2022-23055 [MEDIUM] CWE-862 CVE-2022-23055: In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the ch
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of
nvd
CVE-2025-56379P4MEDIUMCVSS 5.4v15.67.02025-10-02
CVE-2025-56379 [MEDIUM] CWE-79 CVE-2025-56379: A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allow
A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field.
nvd
CVE-2022-23057P4MEDIUMCVSS 5.4≥ 12.0.9, < 13.1.02022-06-22
CVE-2022-23057 [MEDIUM] CWE-79 CVE-2022-23057: In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to us
In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.
nvd
CVE-2026-42839P4MEDIUMCVSS 4.8v16.16.02026-06-03
CVE-2026-42839 [MEDIUM] CWE-79 CVE-2026-42839: An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScrip
An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a transaction.This issue affects ERPNext: 16.16.0.
nvd
CVE-2019-20521P4MEDIUMCVSS 6.1v11.1.472020-03-19
CVE-2019-20521 [MEDIUM] CWE-79 CVE-2019-20521: ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.
nvd
CVE-2019-20520P4MEDIUMCVSS 6.1v11.1.472020-03-19
CVE-2019-20520 [MEDIUM] CWE-79 CVE-2019-20520: ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.
nvd
CVE-2026-44441P4MEDIUMCVSS 4.3fixed in 15.106.0≥ 16.0.0, < 16.16.0+1 more2026-05-13
CVE-2026-44441 [MEDIUM] CWE-918 CVE-2026-44441: ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0,
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 15.106.0 and 16.16.0.
nvd
CVE-2019-20516P4MEDIUMCVSS 6.1v11.1.472020-03-19
CVE-2019-20516 [MEDIUM] CWE-79 CVE-2019-20516: ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI.
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI.
nvd
CVE-2019-20514P4MEDIUMCVSS 6.1v11.1.472020-03-19
CVE-2019-20514 [MEDIUM] CWE-79 CVE-2019-20514: ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.
nvd
CVE-2019-20519P4MEDIUMCVSS 6.1v11.1.472020-03-19
CVE-2019-20519 [MEDIUM] CWE-79 CVE-2019-20519: ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafte
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.
nvd
CVE-2019-20517P4MEDIUMCVSS 6.1v11.1.472020-03-19
CVE-2019-20517 [MEDIUM] CWE-79 CVE-2019-20517: ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.
nvd
CVE-2019-20518P4MEDIUMCVSS 6.1v11.1.472020-03-19
CVE-2019-20518 [MEDIUM] CWE-79 CVE-2019-20518: ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.
nvd
CVE-2019-20515P4MEDIUMCVSS 6.1v11.1.472020-03-19
CVE-2019-20515 [MEDIUM] CWE-79 CVE-2019-20515: ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI.
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI.
nvd
CVE-2025-65924P4MEDIUMCVSS 4.1≤ 15.88.12026-02-03
CVE-2025-65924 [MEDIUM] CWE-80 CVE-2025-65924: ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files ge
nvd
CVE-2022-23058P4LOWCVSS 3.5≥ 12.0.9, < 13.1.02022-06-22
CVE-2022-23058 [LOW] CWE-79 CVE-2022-23058: ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privi
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
nvd