Search
Search Results (5 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-38431 | 2 Erpnext, Frappe | 2 Erpnext, Erpnext | 2026-05-08 | 9.8 Critical |
| ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered. | ||||
| CVE-2026-38432 | 2 Erpnext, Frappe | 2 Erpnext, Erpnext | 2026-05-08 | 6.1 Medium |
| ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied. | ||||
| CVE-2023-54345 | 2 Erpnext, Frappe | 2 Erpnext, Erpnext | 2026-05-05 | 8.8 High |
| Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the gi_frame attribute to traverse the call stack and invoke os.popen to execute system commands. | ||||
| CVE-2025-56379 | 2 Erpnext, Frappe | 3 Erpnext, Erpnext, Frappe | 2025-10-03 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field. | ||||
| CVE-2025-56381 | 2 Erpnext, Frappe | 3 Erpnext, Erpnext, Frappe | 2025-10-03 | 6.5 Medium |
| ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters. | ||||
Page 1 of 1.