Certain endpoints in the ERPNext application allow attackers to perform time‑based and boolean‑based blind SQL injection due to insufficient input validation. By sending crafted queries, an adversary can infer sensitive database contents without receiving direct responses. The principal consequence is the unintended disclosure of confidential data, which can lead to credential theft, corporate espionage, or further privilege escalation. The weakness aligns with CWE‑89, a classic injection flaw that enables data leakage and may serve as a foothold for additional attacks.

The vulnerability affects the ERPNext platform, a free and open source enterprise resource planning system. Versions prior to 16.8.0 and 15.100.0 are identified as vulnerable. These versions were released before the patch that addressed the input‑validation flaw. System administrators managing older ERPNext deployments should verify the installed releases and confirm they are below the specified thresholds.

The CVSS score of 7.1 indicates a high severity, reflecting the potential for significant data exposure. The EPSS score of less than 1% suggests that, at present, exploitation is unlikely, and the vulnerability is not part of the recognized exploited catalog. Nonetheless, the ability to infer arbitrary database information presents a serious risk, especially in environments where ERPNext stores sensitive financial or HR data. Exploitation requires network access to the vulnerable endpoints and the ability to craft input strings, meaning that attackers can likely conduct the attack remotely without additional privileges.