493 matches found
EUVD-2026-27404
ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting XSS in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied...
CVE-2026-38432
ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting XSS in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied...
CVE-2026-38431
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection SSTI. An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered...
EUVD-2023-60566
Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the...
CVE-2023-54345
Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the...
CVE-2023-54345 Frappe Framework ERPNext 13.4.0 Remote Code Execution
Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the...
CVE-2023-54345
Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the...
CVE-2023-54345
The CVE-2023-54345 entry concerns Frappe Framework ERPNext 13.4.0. A sandbox-escape flaw in RestrictedPython allows authenticated users with the System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via /app/server-script and access ...
CVE-2026-38432
ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting XSS in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied...
CVE-2026-38432
ERPNext v15.103.1 and earlier is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. Affected component: Email Template engine. Root cause: an attacker with permission to create or edit email templates can inject malicious JavaScript that executes in the victim’s browser when t...
CVE-2026-38432
ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting XSS in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied...
CVE-2026-38431
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection SSTI. An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered...
CVE-2026-38431
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection SSTI. An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered...
PT-2026-37088
Name of the Vulnerable Software and Affected Versions ERPNext versions prior to 15.103.2 Description Server-Side Template Injection SSTI occurs when an attacker with permissions to create or edit email templates injects template expressions. These expressions are executed on the server during the...
ERPNext 安全漏洞
ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Versions of ERPNext prior to v15.103.1 contained security vulnerabilities. These vulnerabilities were caused by server-side template injection. Attackers who had access to create or edi...
CVE-2026-38431
ERPNext v15.103.1 and earlier is vulnerable to Server-Side Template Injection (SSTI) in email templates. An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template renders, leading to potential full impact on con...
CVE-2026-38432
ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting XSS in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied...
CVE-2026-38431
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection SSTI. An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered...
PT-2026-37089
Name of the Vulnerable Software and Affected Versions ERPNext versions prior to 15.103.2 Description The Email Template engine allows an attacker with permissions to create or edit email templates to inject malicious JavaScript code. This code is executed in the victim's browser when the template...
ERPNext 安全漏洞
ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Versions of ERPNext prior to v15.103.1 contained security vulnerabilities. These vulnerabilities stemmed from cross-site scripting in the email template engine. Attackers with permissio...