Description
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 16.9.0.
Published: 2026-05-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ERPNext, a widely used open-source ERP platform, suffers from a SQL injection flaw due to missing validation in several endpoints prior to version 16.9.0. The flaw allows an attacker to craft malicious requests that bypass input checks, resulting in arbitrary SQL statements being executed against the underlying database. This can expose sensitive organizational data, including customer details, financial records, and internal configurations.

Affected Systems

Systems impacted are installations of ERPNext from any vendor using the frappe:erpnext product line with a release older than 16.9.0. No specific patch version list is given, but the advisory states that applying upgrade to 16.9.0 or later removes the vulnerability. The affected components are the web endpoints that construct SQL queries without parameterization.

Risk and Exploitability

The CVSS base score of 8.8 indicates a high severity vulnerability, and the lack of an EPSS score means the exploitation probability is not quantified at this time. Since the attack vector is likely through HTTP interfaces accepting user input, remote actors can exploit the flaw if they can reach the vulnerable endpoints. The vulnerability is not listed in CISA's KEV catalog, but given its potential for data exfiltration, organizations should treat it as high risk until patched.

Generated by OpenCVE AI on May 13, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ERPNext to version 16.9.0 or later to apply the vendor's fix that includes input validation and parameterized query handling.
  • Revoke or disable any older API endpoints that are still exposed, ensuring only the patched interfaces remain available.
  • Enable and monitor database query logs to detect anomalous or failed injection attempts, and configure alerts for suspicious activity.

Generated by OpenCVE AI on May 13, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*

Wed, 13 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe erpnext
Vendors & Products Frappe
Frappe erpnext

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 16.9.0.
Title ERPNext: Possibility of SQL Injection due to missing validation
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Frappe Erpnext
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T18:33:57.673Z

Reserved: 2026-05-06T15:49:25.192Z

Link: CVE-2026-44447

cve-icon Vulnrichment

Updated: 2026-05-15T18:33:42.428Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T22:16:45.780

Modified: 2026-05-14T19:41:12.147

Link: CVE-2026-44447

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T23:30:06Z

Weaknesses