Frappe

Erpnext

43 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.1

CVE-2026-27471

  • EPSS 0.04%
  • Veröffentlicht 21.02.2026 06:38:11
  • Zuletzt bearbeitet 24.02.2026 14:52:50

ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in ver...

4.1

CVE-2025-65924

  • EPSS 0.01%
  • Veröffentlicht 03.02.2026 00:00:00
  • Zuletzt bearbeitet 17.02.2026 17:21:04

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. A...

5.4

CVE-2025-65923

  • EPSS 0.03%
  • Veröffentlicht 03.02.2026 00:00:00
  • Zuletzt bearbeitet 11.02.2026 16:50:44

A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then sto...

9.6

CVE-2025-67289

Exploit
  • EPSS 0.08%
  • Veröffentlicht 22.12.2025 18:16:16
  • Zuletzt bearbeitet 02.01.2026 17:45:31

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.

8.8

CVE-2025-66434

Exploit
  • EPSS 0.11%
  • Veröffentlicht 15.12.2025 00:00:00
  • Zuletzt bearbeitet 23.12.2025 17:57:35

An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() with a user-su...

4.3

CVE-2025-66435

Exploit
  • EPSS 0.07%
  • Veröffentlicht 15.12.2025 00:00:00
  • Zuletzt bearbeitet 23.12.2025 17:56:56

An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (contract_terms) using frappe.render_template() with a user...

4.3

CVE-2025-66436

Exploit
  • EPSS 0.07%
  • Veröffentlicht 15.12.2025 00:00:00
  • Zuletzt bearbeitet 23.12.2025 17:54:23

An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (terms) using frappe.render_template() with a user-suppl...

8.8

CVE-2025-66437

Exploit
  • EPSS 0.11%
  • Veröffentlicht 15.12.2025 00:00:00
  • Zuletzt bearbeitet 05.01.2026 18:19:07

An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict par...

8.8

CVE-2025-66439

Exploit
  • EPSS 0.05%
  • Veröffentlicht 15.12.2025 00:00:00
  • Zuletzt bearbeitet 05.01.2026 18:21:38

An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doctype.payment_entry.payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from ...

8.8

CVE-2025-66440

Exploit
  • EPSS 0.05%
  • Veröffentlicht 15.12.2025 00:00:00
  • Zuletzt bearbeitet 05.01.2026 18:23:39

An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doctype/payment_entry/payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from ...