Known Vulnerabilities for ERPNext by Frappe
Listed below are 10 of the newest known vulnerabilities associated with "ERPNext" by "Frappe".
These CVEs are retrieved based on exact matches on listed software, hardware, and vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed software information are still displayed.
Data on known vulnerable versions is also displayed based on information from known CPEs
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-44448 json | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed ... | Not Provided | 2026-05-13 | 2026-05-14 |
| CVE-2026-44447 json | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL i... | Not Provided | 2026-05-13 | 2026-05-13 |
| CVE-2026-44446 json | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulne... | Not Provided | 2026-05-13 | 2026-05-14 |
| CVE-2026-44445 json | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction o... | Not Provided | 2026-05-13 | 2026-05-14 |
| CVE-2026-44442 json | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce pro... | Not Provided | 2026-05-13 | 2026-05-14 |
| CVE-2026-44441 json | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could se... | Not Provided | 2026-05-13 | 2026-05-14 |
| CVE-2026-44440 json | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of... | Not Provided | 2026-05-13 | 2026-05-14 |
| CVE-2026-42840 json | An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trig... | Not Provided | 2026-06-03 | 2026-06-03 |
| CVE-2026-42839 json | An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, descr... | Not Provided | 2026-06-03 | 2026-06-03 |
| CVE-2026-38432 json | ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permi... | Not Provided | 2026-05-05 | 2026-05-06 |
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Frappe | Erpnext | 9.2.9 | |||
| Application | Frappe | Erpnext | 9.2.8 | |||
| Application | Frappe | Erpnext | 9.2.7 | |||
| Application | Frappe | Erpnext | 9.2.6 | |||
| Application | Frappe | Erpnext | 9.2.5 | |||
| Application | Frappe | Erpnext | 9.2.4 | |||
| Application | Frappe | Erpnext | 9.2.3 | |||
| Application | Frappe | Erpnext | 9.2.24 | |||
| Application | Frappe | Erpnext | 9.2.23 | |||
| Application | Frappe | Erpnext | 9.2.22 | |||
| Application | Frappe | Erpnext | 9.2.21 | |||
| Application | Frappe | Erpnext | 9.2.20 | |||
| Application | Frappe | Erpnext | 9.2.2 | |||
| Application | Frappe | Erpnext | 9.2.19 | |||
| Application | Frappe | Erpnext | 9.2.18 | |||
| Application | Frappe | Erpnext | 9.2.17 | |||
| Application | Frappe | Erpnext | 9.2.16 | |||
| Application | Frappe | Erpnext | 9.2.15 | |||
| Application | Frappe | Erpnext | 9.2.14 | |||
| Application | Frappe | Erpnext | 9.2.13 |