Every CVE whose affected-product data names Frappe Erpnext, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (59)
CVE-2026-44442 — CVSS 9.9 (critical): ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper…
CVE-2026-38431 — CVSS 9.8 (critical): ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email…
CVE-2025-67289 — CVSS 9.6 (critical): An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code…
CVE-2026-27471 — CVSS 9.1 (critical): ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain…
CVE-2026-31017 — CVSS 9.1 (critical): A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework…
CVE-2025-65267 — CVSS 9.0 (critical): In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious…
CVE-2025-66440 — CVSS 8.8 (high): An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doctype/paymen…
CVE-2018-3882 — CVSS 8.8 (high): An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause…
CVE-2018-3883 — CVSS 8.8 (high): An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause…
CVE-2018-3884 — CVSS 8.8 (high): An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause…
CVE-2020-6145 — CVSS 8.8 (high): An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request…
CVE-2026-44447 — CVSS 8.8 (high): ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection…
CVE-2026-44446 — CVSS 8.8 (high): ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL…
CVE-2025-66434 — CVSS 8.8 (high): An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The…
CVE-2018-3885 — CVSS 8.8 (high): An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause…
CVE-2023-54345 — CVSS 8.8 (high): Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System…
CVE-2025-66437 — CVSS 8.8 (high): An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This…
CVE-2025-66438 — CVSS 8.8 (high): A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism…
CVE-2025-66439 — CVSS 8.8 (high): An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doctype.paymen…
CVE-2025-52042 — CVSS 8.2 (high): In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation…
CVE-2025-52040 — CVSS 8.2 (high): In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows…
CVE-2025-52039 — CVSS 8.2 (high): In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request…
CVE-2025-52041 — CVSS 8.2 (high): In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is…
CVE-2025-58439 — CVSS 8.1 (high): ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation…
CVE-2025-28062 — CVSS 8.1 (high): A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to…
CVE-2018-20061 — CVSS 7.5 (high): A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user…
CVE-2025-52044 — CVSS 7.5 (high): In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an…
CVE-2026-32954 — CVSS 7.1 (high): ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were…
CVE-2026-44445 — CVSS 6.5 (medium): ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external…
CVE-2025-52050 — CVSS 6.5 (medium): In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_progra…
CVE-2026-44440 — CVSS 6.5 (medium): ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to…
CVE-2025-56380 — CVSS 6.5 (medium): Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value…
CVE-2025-56381 — CVSS 6.5 (medium): ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint…
CVE-2025-52049 — CVSS 6.5 (medium): In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to…
CVE-2025-52043 — CVSS 6.5 (medium): In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py…
CVE-2025-52047 — CVSS 6.5 (medium): In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which…
CVE-2026-38432 — CVSS 6.1 (medium): ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to…
CVE-2019-20519 — CVSS 6.1 (medium): ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.
CVE-2022-28598 — CVSS 6.1 (medium): Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before…
CVE-2026-44448 — CVSS 5.9 (medium): ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce…
CVE-2022-23055 — CVSS 5.5 (medium): In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low…
CVE-2022-23057 — CVSS 5.4 (medium): In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly…
CVE-2025-65923 — CVSS 5.4 (medium): A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the…
CVE-2025-56379 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web…
CVE-2026-44441 — CVSS 5.0 (medium): ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted…
CVE-2025-66436 — CVSS 4.3 (medium): An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.89.0. The…
CVE-2025-66435 — CVSS 4.3 (medium): An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The…
CVE-2025-65924 — CVSS 4.1 (medium): ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain…
CVE-2022-23056 — CVSS 3.5 (low): In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege…
CVE-2022-23058 — CVSS 3.5 (low): ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts…