Home/Product/frappe erpnext
Product

frappe erpnext

59 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-44448
< 15.102.0
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to en
5.9MEDIUM
 CVE-2026-44447
< 16.9.0
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL inject
8.8HIGH
 CVE-2026-44446
< 15.104.3
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable
8.8HIGH
 CVE-2026-44445
< 15.104.3
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML
6.5MEDIUM
 CVE-2026-44442
< 16.9.1
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper a
9.9CRITICAL
 CVE-2026-44441
< 15.106.0
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a
5.0MEDIUM
 CVE-2026-44440
< 15.101.1
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pa
6.5MEDIUM
 CVE-2026-38432
<= 15.103.1
ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission
6.1MEDIUM
 CVE-2026-38431
<= 15.103.1
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit
9.8CRITICAL
 CVE-2023-54345
all versions
Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with S
8.8HIGH
 CVE-2026-31017
all versions
A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framewor
9.1CRITICAL
 CVE-2026-32954
< 15.100.0
ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were
7.1HIGH
 CVE-2026-27471
< 15.98.1
ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, cer
9.1CRITICAL
 CVE-2025-65924
<= 15.88.1
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically <a> hyperlinks in fields that are intended for p
4.1MEDIUM
 CVE-2025-65923
<= 15.88.1
A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when usin
5.4MEDIUM
 CVE-2025-67289
all versions
An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrar
9.6CRITICAL
 CVE-2025-66440
<= 15.89.0
An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doct
8.8HIGH
 CVE-2025-66439
<= 15.89.0
An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doct
8.8HIGH
 CVE-2025-66438
<= 15.89.0
A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanis
8.8HIGH
 CVE-2025-66437
<= 15.89.0
An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0.
8.8HIGH
 CVE-2025-66436
<= 15.89.0
An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.
4.3MEDIUM
 CVE-2025-66435
<= 15.89.0
An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.
4.3MEDIUM
 CVE-2025-66434
<= 15.89.0
An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.8
8.8HIGH
 CVE-2025-65267
all versions
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed mal
9.0CRITICAL
 CVE-2025-56381
all versions
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get en
6.5MEDIUM
 CVE-2025-56380
all versions
Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client
6.5MEDIUM
 CVE-2025-56379
all versions
A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitra
5.4MEDIUM
 CVE-2025-52042
all versions
In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_
8.2HIGH
 CVE-2025-52041
all versions
In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation
8.2HIGH
 CVE-2025-52040
all versions
In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, whi
8.2HIGH
 CVE-2025-52039
all versions
In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/materi
8.2HIGH
 CVE-2025-52050
all versions
In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loya
6.5MEDIUM
 CVE-2025-52049
all versions
In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnera
6.5MEDIUM
 CVE-2025-52047
all versions
In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, wh
6.5MEDIUM
 CVE-2025-52043
all versions
In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_imp
6.5MEDIUM
 CVE-2025-52044
all versions
In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allow
7.5HIGH
 CVE-2025-58439
< 14.89.2
ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of val
8.1HIGH
 CVE-2025-28062
all versions
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attac
8.1HIGH
 CVE-2022-28598
all versions
Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable inp
6.1MEDIUM
 CVE-2022-23055
>= 11.0.4 and < 13.1.0
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low
 CVE-2022-23058
>= 12.0.9 and < 13.1.0
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious
 CVE-2022-23057
>= 12.0.9 and < 13.1.0
In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated p
5.4MEDIUM
 CVE-2022-23056
>= 13.0.1 and < 13.30.0
In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low
 CVE-2020-6145
all versions
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP
8.8HIGH
 CVE-2019-20521
all versions
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.
6.1MEDIUM
 CVE-2019-20520
all versions
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.
6.1MEDIUM
 CVE-2019-20519
all versions
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.
6.1MEDIUM
 CVE-2019-20518
all versions
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.
6.1MEDIUM
 CVE-2019-20517
all versions
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.
6.1MEDIUM
 CVE-2019-20516
all versions
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI.
6.1MEDIUM
 CVE-2019-20515
all versions
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI.
6.1MEDIUM
 CVE-2019-20514
all versions
ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.
6.1MEDIUM
 CVE-2019-20511
all versions
ERPNext 11.1.47 allows blog?blog_category= Frame Injection.
6.1MEDIUM
 CVE-2018-20061
>= 10.0.0 and <= 10.1.76
A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in
7.5HIGH
 CVE-2018-3885
all versions
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can
8.8HIGH
 CVE-2018-3884
all versions
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can
8.8HIGH
 CVE-2018-3883
all versions
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can
8.8HIGH
 CVE-2018-3882
all versions
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can
8.8HIGH
 CVE-2018-11339
all versions
An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.
6.1MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin