Description
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.
Published: 2026-05-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ERPNext email templates use a server‑side rendering engine that evaluates template expressions. A user with the ability to create or edit those templates can craft expressions that are executed on the web‑server. The vulnerability allows an attacker to run arbitrary code, exfiltrate data, or compromise the system entirely. This is an instance of improper code generation via template injection, identified as CWE‑94.

Affected Systems

The flaw is present in ERPNext v15.103.1 and earlier releases. No other products or vendors are listed as affected by this CVE. Organizations using legacy ERPNext installations should verify that their instance does not fall within the vulnerable version range.

Risk and Exploitability

The vulnerability is assigned a critical CVSS score of 9.8, reflecting a high potential for system compromise. It has an EPSS score of <1%, indicating a low probability of exploitation currently, and it is not listed in the CISA KEV catalog. The attack vector requires the attacker to have permission to create or edit email templates; once authorized, the vulnerability can be triggered with minimal effort. If successful, the attacker could execute arbitrary server‑side code, leading to full system compromise.

Generated by OpenCVE AI on May 6, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest ERPNext release that includes the fixed email template renderer. The current vulnerable versions are v15.103.1 and earlier.
  • Revoke or limit permissions that allow users to create or edit email templates, allowing only trusted administrators to perform these actions.
  • Implement template input sanitization to reject expressions containing double braces or other template syntax, or use a whitelisting approach to restrict allowed template tags and functions.

Generated by OpenCVE AI on May 6, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe erpnext
CPEs cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*
Vendors & Products Frappe
Frappe erpnext

Wed, 06 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Server‑Side Template Injection in ERPNext Email Templates

Wed, 06 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Erpnext
Erpnext erpnext
Vendors & Products Erpnext
Erpnext erpnext

Tue, 05 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Server‑Side Template Injection in ERPNext Email Templates
Weaknesses CWE-94

Tue, 05 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.
References

Subscriptions

Erpnext Erpnext
Frappe Erpnext
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-06T15:26:19.751Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38431

cve-icon Vulnrichment

Updated: 2026-05-06T13:51:20.397Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T17:17:04.670

Modified: 2026-05-08T17:06:43.360

Link: CVE-2026-38431

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T18:00:12Z

Weaknesses