Description
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability on an endpoint allows an authenticated adjacent attacker to read arbitrary files. This vulnerability is fixed in 15.101.1 and 16.10.0.
Published: 2026-05-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ERPNext versions earlier than 15.101.1 and 16.10.0 contain an improper limitation of a pathname to a restricted directory flaw that lets a user who has adjacent authentication privileges read any file on the server. The flaw is a classic path traversal weakness (CWE‑22) and can expose sensitive configuration files, credentials, or personal data, compromising confidentiality of the system and its data.

Affected Systems

The vulnerability affects the ERPNext product from the Frappe framework. Users running ERPNext prior to version 15.101.1 or 16.10.0 are at risk. No other versions or associated products are listed.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires authenticated adjacent access; therefore, an attacker must first acquire credentials that allow access to the system or gain proximity within the network to exploit the flaw.

Generated by OpenCVE AI on May 13, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace ERPNext with version 15.101.1 or 16.10.0 or later
  • Upgrade all dependent libraries and the Frappe framework to the latest compatible release
  • Configure strict file system permissions and isolate the ERPNext process so that authenticated users cannot read system or other users’ files

Generated by OpenCVE AI on May 13, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe erpnext
Vendors & Products Frappe
Frappe erpnext

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability on an endpoint allows an authenticated adjacent attacker to read arbitrary files. This vulnerability is fixed in 15.101.1 and 16.10.0.
Title ERPNext: Path Traversal Leading to Sensitive File Exposure
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Frappe Erpnext
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T12:46:25.313Z

Reserved: 2026-05-06T14:40:00.955Z

Link: CVE-2026-44440

cve-icon Vulnrichment

Updated: 2026-05-14T12:46:20.991Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T22:16:45.007

Modified: 2026-05-14T20:11:20.710

Link: CVE-2026-44440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:30:06Z

Weaknesses