493 matches found
ERPNext 安全漏洞
ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Versions of ERPNext prior to v15.103.1 contained security vulnerabilities. These vulnerabilities stemmed from cross-site scripting in the email template engine. Attackers with permissio...
CVE-2026-31017
A Server-Side Request Forgery SSRF vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application...
EUVD-2026-20511
A Server-Side Request Forgery SSRF vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application...
CVE-2026-31017
A Server-Side Request Forgery SSRF vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application...
CVE-2026-31017
A Server-Side Request Forgery SSRF vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application...
CVE-2026-31017
A Server-Side Request Forgery SSRF vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application...
PT-2026-31332
Name of the Vulnerable Software and Affected Versions ERPNext version 16.0.1 Frappe Framework version 16.1.1 Description A Server-Side Request Forgery SSRF exists in the Print Format functionality. Insufficient sanitization of user-supplied HTML before PDF rendering allows attackers to include HT...
ERPNext 安全漏洞
ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Versions of ERPNext prior to 15.98.0, as well as versions 16.0.0-rc.1 to 16.6.0, contain security vulnerabilities. These vulnerabilities stem from the lack of access validation for...
CVE-2025-65923
A Stored Cross-Site Scripting XSS vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the...
CVE-2025-65924
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...
CVE-2025-65924
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...
CVE-2025-65923
A Stored Cross-Site Scripting XSS vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the...
PT-2026-5951
Name of the Vulnerable Software and Affected Versions ERPNext versions through 15.88.1 Description A Stored Cross-Site Scripting XSS issue exists in the CSV import mechanism when the Update Existing Records option is used. An attacker can inject malicious JavaScript code into a CSV field. This co...
CVE-2025-65924
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...
CVE-2025-65923
A Stored Cross-Site Scripting XSS vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the...
CVE-2025-65924
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...
ERPNext 安全漏洞
ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Versions of ERPNext 15.88.1 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the failure to clean or remove HTML tags from plain-text fields, which cou...
ERPNext 安全漏洞
ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Versions of ERPNext 15.88.1 and earlier contain security vulnerabilities. These vulnerabilities stem from the CSV import mechanism’s improper handling of inputs, which may lead to...
CVE-2025-65923
ERPNext (up to 15.88.1) CSV import, specifically the Update Existing Records option, is affected by a Stored Cross-Site Scripting (XSS) vulnerability. A malicious CSV field can contain JavaScript that is stored in the database and executed when a user views the affected record in the ERPNext web ...
CVE-2025-65924
CVE-2025-65924 affects ERPNext up to v15.88.1. The issue arises in the Add Quality Goal function where HTML tags (notably hyperlinks) are not sanitized in plain-text fields. While JavaScript is blocked to prevent XSS, the HTML remains in the generated PDFs, enabling users to click malicious link...