Description
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enables an authenticated attacker to read files from the local file system, including sensitive configuration files. This vulnerability is fixed in 15.104.3 and 16.12.0.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ERPNext’s EDI Module suffers from an improper restriction of XML External Entity references. An authenticated attacker can exploit this flaw to read arbitrary files on the server, potentially exposing sensitive configuration data and other confidential information. The vulnerability is a classic XXE flaw (CWE‑611) that enables file read access without additional permissions, directly endangering the confidentiality of the system’s internals.

Affected Systems

The issue affects ERPNext deployments using the EDI module on versions older than 15.104.3 and 16.12.0. The affected product is the frappe:erpnext platform, specifically its EDI processing component.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. Because the flaw requires an authenticated user, the attack vector is limited to legitimate accounts, and the exploitation likelihood is moderate pending any publicly available exploitation tools. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. However, the availability of the flaw in widely used ERP solutions raises awareness of the moderate risk for organizations relying on older versions.

Generated by OpenCVE AI on May 13, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ERPNext to version 15.104.3 or newer, or 16.12.0 or newer, to receive the vendor patch that removes the external entity processing in the EDI module.
  • If an upgrade cannot be performed immediately, restrict the EDI module so that only trusted, privileged users can submit XML files, thereby narrowing the attack surface.
  • Review and, if possible, disable any XML parsing that allows external entity declarations, ensuring that XML uploads are processed in a safe mode that ignores external references.

Generated by OpenCVE AI on May 13, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe erpnext
Vendors & Products Frappe
Frappe erpnext

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enables an authenticated attacker to read files from the local file system, including sensitive configuration files. This vulnerability is fixed in 15.104.3 and 16.12.0.
Title ERPNext: XML External Entity (XEE) Reference Vulnerability in the EDI Module
Weaknesses CWE-611
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Erpnext
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:56:29.342Z

Reserved: 2026-05-06T15:49:25.192Z

Link: CVE-2026-44445

cve-icon Vulnrichment

Updated: 2026-05-14T15:56:23.631Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T22:16:45.500

Modified: 2026-05-14T20:02:51.860

Link: CVE-2026-44445

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:30:06Z

Weaknesses