SQL Injection Vulnerability in Frappe ERP Tool
CVE-2026-32954

7.1HIGH

Key Information:

Vendor

Frappe

Status
Erpnext
Vendor
CVE Published:
20 March 2026

What is CVE-2026-32954?

Frappe ERP, an open-source Enterprise Resource Planning tool, has been found to be vulnerable in versions prior to 16.8.0 and 15.100.0. The vulnerability allows for time-based and boolean-based blind SQL injection due to inadequate parameter validation in certain endpoints. This could enable attackers to extract sensitive database information, compromising the integrity and confidentiality of the data. The issue has been resolved in updated versions 15.100.0 and 16.8.0, and users are encouraged to upgrade to mitigate risks.

Affected Version(s)

erpnext >= 16.0.0-beta.1, < 16.8.0 < 16.0.0-beta.1, 16.8.0

erpnext < 15.100.0 < 15.100.0

References

https://github.com/frappe/erpnext/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/frappe/erpnext/releases/tag/v15.100.0
x_refsource_MISC
https://github.com/frappe/erpnext/releases/tag/v16.8.0
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.