Frappe Erpnext

SSRF via PDF Render in ERPNext 16.0.1 Print Format
CVE-2026-31017 9.1 - Critical - April 08, 2026

A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure.

SSRF

ERP <16.8.0/15.100.0: Time/Boolean Blind SQLi via API Endpoints
CVE-2026-32954 7.1 - High - March 20, 2026

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information. This issue has been fixed in versions 15.100.0 and 16.8.0.

SQL Injection

Unauthorized Document Access in ERPNext <=15.98.0,16.0.0-rc.1&<=16.6.0 (CVE-2026-27471)
CVE-2026-27471 - February 21, 2026

ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.

AuthZ

ERPNext 15.88.1 CSV Import Stored XSS via Update Existing Records
CVE-2025-65923 5.4 - Medium - February 03, 2026

A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the affected record is viewed by a user within the ERPNext web interface. This exposure may allow an attacker to compromise user sessions or perform unauthorized actions under the context of a victim's account.

XSS

SQLi in Frappe ERPNext 15.89.0 via to_posting_date
CVE-2025-66440 9.8 - Critical - December 15, 2025

An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doctype/payment_entry/payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the to_posting_date parameter, which is directly interpolated into the query without proper sanitization or parameter binding.

SQL Injection

SSTI in Frappe ERPNext 15.89.0 get_contract_template: Authenticated RCE
CVE-2025-66435 4.3 - Medium - December 15, 2025

An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (contract_terms) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to create or modify a Contract Template can inject arbitrary Jinja expressions into the contract_terms field, resulting in server-side code execution within a restricted but still unsafe context. This vulnerability can be used to leak database information.

1336

SSTI in Frappe ERPNext (15.89.0) get_dunning_letter_text allows code exec
CVE-2025-66434 8.8 - High - December 15, 2025

An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to configure Dunning Type and its child table Dunning Letter Text can inject arbitrary Jinja expressions, resulting in server-side code execution within a restricted but still unsafe context. This can leak database information.

1336

ERPNext v15.89.0 - SQLi via get_outstanding_reference_documents() in payment_entry.py
CVE-2025-66439 9.8 - Critical - December 15, 2025

An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doctype.payment_entry.payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the from_posting_date parameter, which is directly interpolated into the query without proper sanitization or parameter binding.

SQL Injection

SSTI in Frappe ERPNext 15.89.0 Print Format Rendering
CVE-2025-66438 9.8 - Critical - December 15, 2025

A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of the html field inside a Print Format document using frappe.render_template(template, doc) via the get_rendered_template() call chain. Although ERPNext wraps Jinja2 in a SandboxedEnvironment, it exposes sensitive functions such as frappe.db.sql through get_safe_globals(). An authenticated attacker with permission to create or modify a Print Format can inject arbitrary Jinja expressions into the html field. Once the malicious Print Format is saved, the attacker can call get_html_and_style() with a target document (e.g., Supplier or Sales Invoice) to trigger the render process. This leads to information disclosure from the database, such as database version, schema details, or sensitive values, depending on the injected payload. Exploitation flow: Create a Print Format with SSTI payload in the html field; call the get_html_and_style() API; triggers frappe.render_template(template, doc) inside get_rendered_template(); leaks database information via frappe.db.sql or other exposed globals.

1336

ERPNext 15.89.0: SSTI via get_address_display (Jinja Sandbox Bypass)
CVE-2025-66437 8.8 - High - December 15, 2025

An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict parameter, which can be either a dictionary or a string referencing an Address document. Although ERPNext uses a custom Jinja2 SandboxedEnvironment, dangerous functions like frappe.db.sql remain accessible via get_safe_globals(). An authenticated attacker with permission to create or modify an Address Template can inject arbitrary Jinja expressions into the template field. By creating an Address document with a matching country, and then calling the get_address_display API with address_dict="address_name", the system will render the malicious template using attacker-controlled data. This leads to server-side code execution or database information disclosure.

1336

SSTI in Frappe ERPNext <=15.89.0 via Jinja Terms injection
CVE-2025-66436 4.3 - Medium - December 15, 2025

An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (terms) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to create or modify a Terms and Conditions document can inject arbitrary Jinja expressions into the terms field, resulting in server-side code execution within a restricted but still unsafe context. This vulnerability can be used to leak database information.

1336

SQLi in Frappe ERPNext 15.57.5 get_material_requests_based_on_supplier()
CVE-2025-52039 8.2 - High - October 01, 2025

In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the txt parameter.

SQL Injection

SQL Injection in Frappe ERPNext 15.57.5 get_blanket_orders()
CVE-2025-52040 8.2 - High - October 01, 2025

In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter.

SQL Injection

SQL Injection in Frappe ERPNext 15.57.5 stock_reconciliation get_stock_balance_for
CVE-2025-52041 8.2 - High - October 01, 2025

In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the inventory_dimensions_dict parameter.

SQL Injection

SQLi in ERPNext 15.57.5 get_rfq_containing_supplier()
CVE-2025-52042 8.2 - High - October 01, 2025

In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt parameter.

SQL Injection

SQLi in Frappe ERPNext 15.57.5 loyalty_program.get_details
CVE-2025-52050 6.5 - Medium - September 30, 2025

In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the expiry_date parameter.

SQL Injection

SQL Injection in ERPNext v15.57.5 Chart of Accounts Importer
CVE-2025-52043 6.5 - Medium - September 30, 2025

In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL query into the company parameter.

SQL Injection

SQLi in Frappe ErpNext v15.57.5 get_income_account() Filters.disabled
CVE-2025-52047 6.5 - Medium - September 30, 2025

In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled parameter.

SQL Injection

SQLi in Frappe ErpNext v15.57.5 get_timesheet_detail_rate() Timelog
CVE-2025-52049 6.5 - Medium - September 30, 2025

In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter.

SQL Injection

SQL Injection in ERPNext 15.57.5 get_stock_balance()
CVE-2025-52044 7.5 - High - September 16, 2025

In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into inventory_dimensions_dict parameter.

SQL Injection

CSRF in ERPNext 14.82.1: User Deletion & Privilege Escalation
CVE-2025-28062 - May 05, 2025

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.

XSS in ERPNext 12.29.0 from improper input neutralization
CVE-2022-28598 6.1 - Medium - August 22, 2022

Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.

XSS

In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality
CVE-2022-23055 5.4 - Medium - June 22, 2022

In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.

AuthZ

In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly
CVE-2022-23057 5.4 - Medium - June 22, 2022

In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.

XSS

ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability
CVE-2022-23058 5.4 - Medium - June 22, 2022

ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the username field in my settings which can lead to full account takeover.

XSS

In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which
CVE-2022-23056 5.4 - Medium - June 22, 2022

In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.

XSS

An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38
CVE-2020-6145 - August 10, 2020

An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

SQL Injection

ERPNext 11.1.47 allows reflected XSS
CVE-2019-20521 - March 19, 2020

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.

ERPNext 11.1.47 allows reflected XSS
CVE-2019-20514 - March 19, 2020

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.

ERPNext 11.1.47 allows reflected XSS
CVE-2019-20515 - March 19, 2020

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI.

ERPNext 11.1.47 allows reflected XSS
CVE-2019-20516 - March 19, 2020

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI.

ERPNext 11.1.47 allows reflected XSS
CVE-2019-20517 - March 19, 2020

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.

ERPNext 11.1.47 allows reflected XSS
CVE-2019-20518 - March 19, 2020

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.

ERPNext 11.1.47 allows reflected XSS
CVE-2019-20519 - March 19, 2020

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.

ERPNext 11.1.47 allows reflected XSS
CVE-2019-20520 - March 19, 2020

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.

ERPNext 11.1.47 allows blog?blog_category= Frame Injection.
CVE-2019-20511 - March 18, 2020

ERPNext 11.1.47 allows blog?blog_category= Frame Injection.

A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29
CVE-2018-20061 - December 11, 2018

A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.

An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5
CVE-2018-11339 - May 22, 2018

An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.