Lucene search
K

493 matches found

CNNVD
CNNVD
added 2026/05/05 12:0 a.m.12 views

ERPNext 安全漏洞

ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Versions of ERPNext prior to v15.103.1 contained security vulnerabilities. These vulnerabilities stemmed from cross-site scripting in the email template engine. Attackers with permissio...

6.1CVSS5.7AI score0.00175EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/04/10 1:23 a.m.8 views

CVE-2026-31017

A Server-Side Request Forgery SSRF vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application...

9.1CVSS6.1AI score0.00236EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/08 6:34 p.m.9 views

EUVD-2026-20511

A Server-Side Request Forgery SSRF vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application...

6.1AI score0.00236EPSS
Exploits0References3
NVD
NVD
added 2026/04/08 5:21 p.m.6 views

CVE-2026-31017

A Server-Side Request Forgery SSRF vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application...

9.1CVSS0.00236EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/08 12:0 a.m.10 views

CVE-2026-31017

A Server-Side Request Forgery SSRF vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application...

6.1AI score0.00236EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/08 12:0 a.m.22 views

CVE-2026-31017

A Server-Side Request Forgery SSRF vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application...

0.00236EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.8 views

PT-2026-31332

Name of the Vulnerable Software and Affected Versions ERPNext version 16.0.1 Frappe Framework version 16.1.1 Description A Server-Side Request Forgery SSRF exists in the Print Format functionality. Insufficient sanitization of user-supplied HTML before PDF rendering allows attackers to include HT...

9.1CVSS5.9AI score0.00236EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/02/21 12:0 a.m.9 views

ERPNext 安全漏洞

ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Versions of ERPNext prior to 15.98.0, as well as versions 16.0.0-rc.1 to 16.6.0, contain security vulnerabilities. These vulnerabilities stem from the lack of access validation for...

9.3CVSS5.8AI score0.00324EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/02/04 3:15 a.m.7 views

CVE-2025-65923

A Stored Cross-Site Scripting XSS vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the...

5.4CVSS5.6AI score0.00162EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/04 3:15 a.m.18 views

CVE-2025-65924

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

4.1CVSS5.5AI score0.00227EPSS
Exploits0References1
NVD
NVD
added 2026/02/03 6:16 p.m.7 views

CVE-2025-65924

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

4.1CVSS0.00227EPSS
Exploits0References1
NVD
NVD
added 2026/02/03 6:16 p.m.3 views

CVE-2025-65923

A Stored Cross-Site Scripting XSS vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the...

5.4CVSS0.00162EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/02/03 12:0 a.m.6 views

PT-2026-5951

Name of the Vulnerable Software and Affected Versions ERPNext versions through 15.88.1 Description A Stored Cross-Site Scripting XSS issue exists in the CSV import mechanism when the Update Existing Records option is used. An attacker can inject malicious JavaScript code into a CSV field. This co...

5.4CVSS5.6AI score0.00162EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/02/03 12:0 a.m.4 views

CVE-2025-65924

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

5.5AI score0.00227EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/03 12:0 a.m.5 views

CVE-2025-65923

A Stored Cross-Site Scripting XSS vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the...

5.7AI score0.00162EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/02/03 12:0 a.m.2 views

CVE-2025-65924

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

5.5AI score0.00227EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/02/03 12:0 a.m.9 views

ERPNext 安全漏洞

ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Versions of ERPNext 15.88.1 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the failure to clean or remove HTML tags from plain-text fields, which cou...

4.1CVSS5.8AI score0.00227EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/02/03 12:0 a.m.11 views

ERPNext 安全漏洞

ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Versions of ERPNext 15.88.1 and earlier contain security vulnerabilities. These vulnerabilities stem from the CSV import mechanism’s improper handling of inputs, which may lead to...

5.4CVSS5.7AI score0.00162EPSS
Exploits0References1
CVE
CVE
added 2026/02/03 12:0 a.m.13 views

CVE-2025-65923

ERPNext (up to 15.88.1) CSV import, specifically the Update Existing Records option, is affected by a Stored Cross-Site Scripting (XSS) vulnerability. A malicious CSV field can contain JavaScript that is stored in the database and executed when a user views the affected record in the ERPNext web ...

5.4CVSS5.7AI score0.00162EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/02/03 12:0 a.m.19 views

CVE-2025-65924

CVE-2025-65924 affects ERPNext up to v15.88.1. The issue arises in the Add Quality Goal function where HTML tags (notably hyperlinks) are not sanitized in plain-text fields. While JavaScript is blocked to prevent XSS, the HTML remains in the generated PDFs, enabling users to click malicious link...

4.1CVSS5.5AI score0.00227EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder