📦 Erpnext
by Frappe
🔍 What is Erpnext?
Description coming soon...
🛡️ Security Overview
Click on a severity to filter vulnerabilities
⚠️ Known Vulnerabilities
This critical vulnerability in Frappe Framework's Attachments module allows attackers to upload malicious XML files that can lead to remote code execution. It affects all systems running Frappe Framew...
This vulnerability allows attackers to upload malicious SVG avatar images containing JavaScript payloads in ERPNext and Frappe Framework. When an administrator clicks to view the avatar, the JavaScrip...
This CVE describes a Server-Side Template Injection (SSTI) vulnerability in Frappe ERPNext that allows authenticated attackers with Address Template permissions to execute arbitrary Jinja expressions....
This Server-Side Template Injection (SSTI) vulnerability in Frappe ERPNext allows authenticated attackers with Print Format creation/modification permissions to inject malicious Jinja expressions that...
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries through the from_posting_date parameter. It enables database information extraction, potentially ex...
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL commands through the to_posting_date parameter. It enables unauthorized database access, potentially exposi...
An authenticated attacker with Dunning Type configuration access can exploit this Server-Side Template Injection vulnerability in Frappe ERPNext to execute arbitrary Jinja2 expressions. This allows se...
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries through the blanket_order_type parameter, potentially extracting all database information. It affec...
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries through the inventory_dimensions_dict parameter, potentially extracting all database information. I...
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries through the txt parameter in the get_rfq_containing_supplier() function. Successful exploitation en...
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries through the txt parameter in the get_material_requests_based_on_supplier() function. This can lead ...
This CVE describes an error-based SQL injection vulnerability in ERPNext, an open-source Enterprise Resource Planning tool. Attackers can exploit unvalidated parameters in certain endpoints to extract...
A Cross-Site Request Forgery vulnerability in ERPNEXT allows attackers to trick authenticated users into performing unauthorized actions like deleting users, resetting passwords, or escalating privile...
A stored XSS vulnerability in ERPNext's CSV import feature allows attackers to inject malicious JavaScript into database records. When users view affected records in the web interface, the script exec...
ERPNext versions through 15.88.1 fail to sanitize HTML <a> tags in plain text fields, allowing attackers to inject clickable links into generated PDF documents. Since users trust ERP-generated PDFs, t...
An authenticated attacker with access to create or modify Terms and Conditions documents in Frappe ERPNext can inject malicious Jinja2 templates into the terms field, leading to server-side template i...
An authenticated attacker with Contract Template creation/modification privileges can inject malicious Jinja2 templates into the contract_terms field, leading to server-side code execution within Frap...
A stored cross-site scripting (XSS) vulnerability in ERPNEXT v15.67.0 allows attackers to inject malicious scripts into blog posts, which execute when other users view the compromised content. This af...
This SQL injection vulnerability in Frappe Framework allows attackers to execute arbitrary SQL commands through the fieldname parameter in the frappe.client.get_value API endpoint. Attackers can poten...
CVE-2025-56381 allows attackers to execute arbitrary SQL commands in ERPNEXT through SQL injection vulnerabilities in the reportview API endpoint. This affects all ERPNEXT v15.67.0 installations with ...
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries through the filters.disabled parameter in the get_income_account() function. Attackers can extract ...
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries through the timelog parameter, potentially extracting all database information. It affects organiza...
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries through the expiry_date parameter in the get_loyalty_program_details_with_points() function. This c...