Server-Side Template Injection in ERPNext by Frappe
CVE-2026-38431

9.8CRITICAL

Key Information:

Vendor: Frappe
Status: ERPNext
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-38431?

ERPNext versions up to v15.103.1 are susceptible to a Server-Side Template Injection (SSTI) vulnerability. This occurs when an attacker, having the permission to create or modify email templates, can inject malicious template expressions. These expressions are then executed on the server when the email templates are rendered, potentially risking sensitive data and system integrity.

References

https://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-38431 Data

JSON