Description
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 15.104.3 and 16.14.0.
Published: 2026-05-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SQL injection vulnerability arises from missing input validation in several ERPNext endpoints prior to versions 15.104.3 and 16.14.0, allowing attackers to inject arbitrary SQL statements and retrieve confidential data. This flaw is classified as CWE‑89.

Affected Systems

The vulnerability affects the ERPNext application from Frappe. Systems running versions earlier than 15.104.3 for the 15.x release stream, or earlier than 16.14.0 for the 16.x stream, are vulnerable. No other vendor or product versions are listed as affected.

Risk and Exploitability

The CVSS score of 8.8 signals high severity, and the absence of an EPSS value does not preclude exploitation. Based on the description, it is inferred that the vulnerability can likely be triggered through remote HTTP requests to the exposed endpoints. Since it is not listed in the CISA KEV catalog, no documented active exploitation is known, but the typical attack path would permit unauthenticated or minimally privileged attackers to run arbitrary SQL and read database contents.

Generated by OpenCVE AI on May 13, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ERPNext to version 15.104.3 or later, or 16.14.0 or later, which contain the SQL injection fix.
  • If an immediate update is not possible, restrict network exposure of the vulnerable endpoints or block access to them entirely until a patch can be applied.
  • Review any custom extensions or modules that construct SQL queries against the database and ensure they use parameterized statements and validate input.

Generated by OpenCVE AI on May 13, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe erpnext
Vendors & Products Frappe
Frappe erpnext

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 15.104.3 and 16.14.0.
Title ERPNext: Possibility of SQL Injection due to missing validation
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Frappe Erpnext
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T13:31:08.843Z

Reserved: 2026-05-06T15:49:25.192Z

Link: CVE-2026-44446

cve-icon Vulnrichment

Updated: 2026-05-14T13:28:32.795Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T22:16:45.637

Modified: 2026-05-14T20:01:40.860

Link: CVE-2026-44446

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T23:30:06Z

Weaknesses