CVE-2026-42840

An authenticated user can persist arbitrary HTML/JavaScript in the emailid or mobileno fields of a Customer record and trigger unescaped rendering in the Point of Sale POS interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0...

CVE-2026-42840

An authenticated user can persist arbitrary HTML/JavaScript in the emailid or mobileno fields of a Customer record and trigger unescaped rendering in the Point of Sale POS interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0...

CVE-2026-38432

ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting XSS in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied...

PT-2026-37088

Name of the Vulnerable Software and Affected Versions ERPNext versions prior to 15.103.2 Description Server-Side Template Injection SSTI occurs when an attacker with permissions to create or edit email templates injects template expressions. These expressions are executed on the server during the...

CVE-2019-20515

ERPNext 11.1.47 allows reflected XSS via the PATHINFO to the addresses/ URI...

CVE-2019-20516

ERPNext 11.1.47 allows reflected XSS via the PATHINFO to the blog/ URI...

CVE-2025-65267

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting XSS. Successful...

EUVD-2025-200968

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting XSS. Successful...

EUVD-2018-15670

Malware in sbrugna...

EUVD-2018-15671

Malware in sbrugna...

EUVD-2025-32136

Malicious code in bioql PyPI...

CVE-2025-56379

A stored cross-site scripting XSS vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field...

PT-2025-40352

Name of the Vulnerable Software and Affected Versions ERPNEXT version 15.67.0 Description A stored cross-site scripting XSS issue exists in the blog post feature. An attacker can inject a crafted payload into the content field, potentially leading to the execution of arbitrary web scripts or HTML...

ERPNEXT 安全漏洞

ERPNext is an open source enterprise resource planning solution from ERPNext India. ERPNext suffers from a SQL injection vulnerability that stems from the lack of validation of the orderby and groupby parameters against externally entered SQL statements. An attacker can exploit this vulnerability...

PT-2025-39989

Name of the Vulnerable Software and Affected Versions Frappe ERPNext version 15.57.5 Description The import coa function located at erpnext/accounts/doctype/chart of accounts importer/chart of accounts importer.py is susceptible to SQL injection. An attacker can inject a SQL query through the...

ERPNext 安全漏洞

ERPNext is an open source enterprise resource planning solution from ERPNext India. A security vulnerability exists in ERPNext version v15.57.5 that stems from insufficient validation of the inventorydimensionsdict parameter, which could lead to an SQL injection attack...

PT-2018-16277

Name of the Vulnerable Software and Affected Versions ERPNext version 10.1.6 Description An exploitable SQL injection issue exists in the authenticated part of the software. Specially crafted web requests can cause SQL injections, resulting in data compromise. The sort by and start parameters can...