Description
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.
Published: 2026-05-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ERPNext email templates use a server‑side rendering engine that evaluates template expressions. A user with the ability to create or edit those templates can craft expressions that are executed on the web‑server. The vulnerability allows an attacker to run arbitrary code, exfiltrate data, or compromise the system entirely. This is an instance of improper code generation via template injection, identified as CWE‑94.

Affected Systems

The flaw is present in ERPNext v15.103.1 and earlier releases. No other products or vendors are listed as affected by this CVE. Organizations using legacy ERPNext installations should verify that their instance does not fall within the vulnerable version range.

Risk and Exploitability

No CVSS or EPSS scores are available and the vulnerability is not listed in the CISA KEV catalog, but the impact level is high. The attack vector requires the attacker to have permission to edit email templates; once authorized, the vulnerability can be triggered with minimal effort. If successful, the attacker could execute arbitrary server‑side code, leading to full system compromise.

Generated by OpenCVE AI on May 5, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest ERPNext release that includes the fixed email template renderer. The current vulnerable versions are v15.103.1 and earlier.
  • Revoke or limit permissions that allow users to create or edit email templates, allowing only trusted administrators to perform these actions.
  • Implement template input sanitization to reject expressions containing double braces or other template syntax, or use a whitelisting approach to restrict allowed template tags and functions.

Generated by OpenCVE AI on May 5, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Erpnext
Erpnext erpnext
Vendors & Products Erpnext
Erpnext erpnext

Tue, 05 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Server‑Side Template Injection in ERPNext Email Templates
Weaknesses CWE-94

Tue, 05 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.
References

Subscriptions

Erpnext Erpnext
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T16:08:31.506Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38431

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T17:17:04.670

Modified: 2026-05-05T17:17:04.670

Link: CVE-2026-38431

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T20:00:12Z

Weaknesses