Erpnext
This hub aggregates every CVE we track for Erpnext, a product in the enterprise software space. Use it to gauge the current risk picture and drill into individual advisories.
59
CVEs tracked
6
Critical
22
High
0
In CISA KEV
Severity distribution
MEDIUM29HIGH22CRITICAL6LOW2
Monthly trend
0
0
0
0
0
0
0
0
0
0
1
0
0
0
6
7
0
9
0
3
1
1
10
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Erpnext.
- CVE-2026-44448ERPNext: Unauthorised Document modification due to missing validation5.9
- CVE-2026-44447ERPNext: Possibility of SQL Injection due to missing validation8.8
- CVE-2026-44446ERPNext: Possibility of SQL Injection due to missing validation8.8
- CVE-2026-44445ERPNext: XML External Entity (XEE) Reference Vulnerability in the EDI Module6.5
- CVE-2026-44441ERPNext: Possible SSRF by any authenticated user5.0
- CVE-2026-44440ERPNext: Path Traversal Leading to Sensitive File Exposure6.5
- CVE-2026-44442ERPNext: Unauthorised Document modification due to missing validation9.9
- CVE-2023-54345Frappe Framework ERPNext 13.4.0 Remote Code Execution8.8
- CVE-2026-38432ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript ...6.1
- CVE-2026-38431ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed ...9.8
- CVE-2026-31017A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized bef...9.1
- CVE-2026-32954ERP has a possibility SQL Injection vulnerability due to missing validation7.1
- CVE-2026-27471ERP: Document access through endpoints due to missing validation9.1
- CVE-2025-65924ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTM...4.1
- CVE-2025-65923A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed maliciou...5.4
Product normalization is registry-driven with AI assist and human review. How it works