Erpnext
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Erpnext.
By the Year
In 2026 there have been 2 vulnerabilities in Erpnext with an average score of 6.5 out of ten. Last year, in 2025 Erpnext had 4 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. Last year, the average CVE base score was greater by 0.52
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 6.45 |
| 2025 | 4 | 6.97 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 4 | 8.80 |
It may take a day or so for new Erpnext vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Erpnext Security Vulnerabilities
ERPNext 13.4.0 RestrictedPython sandbox escape via server script
CVE-2023-54345
8.8 - High
- May 05, 2026
Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the gi_frame attribute to traverse the call stack and invoke os.popen to execute system commands.
Code Injection
ERPNext <=15.88.1 PDF link injection via unsanitized <a> tags
CVE-2025-65924
4.1 - Medium
- February 03, 2026
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function.
Basic XSS
Stored XSS via SVG Avatar Upload in ERPNext 15.83.2/Frappe 15.86.0
CVE-2025-65267
9 - Critical
- December 03, 2025
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.
XSS
SQLi in ERPNext 15.67 via /api/method/frappe.desk.reportview.get (order_by,group_by)
CVE-2025-56381
6.5 - Medium
- October 02, 2025
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.
SQL Injection
ERPNext 15.67.0 stored XSS in Blog Post
CVE-2025-56379
5.4 - Medium
- October 02, 2025
A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field.
XSS
CSRF in ERPNext 14.82.1: User Deletion & Privilege Escalation
CVE-2025-28062
- May 05, 2025
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6
CVE-2018-3882
8.8 - High
- September 12, 2018
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The searchfield parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
SQL Injection
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6
CVE-2018-3883
8.8 - High
- September 12, 2018
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The employee and sort_order parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
SQL Injection
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6
CVE-2018-3884
8.8 - High
- September 12, 2018
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The sort_by and start parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
SQL Injection
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6
CVE-2018-3885
8.8 - High
- September 12, 2018
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The order_by parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
SQL Injection
