Server-Side Template Injection in ERPNext by Frappe
CVE-2026-55242
8.8HIGH
What is CVE-2026-55242?
ERPNext, an open source Enterprise Resource Planning tool developed by Frappe, is vulnerable to a server-side template injection issue. An authenticated user with standard permissions can exploit this vulnerability through a misconfigured field, potentially leading to unauthorized access and disclosure of sensitive data beyond their usual permission boundaries. This critical flaw has been addressed in versions 15.111.0 and 16.22.0, making it essential for users to upgrade to these releases to safeguard their systems.
Affected Version(s)
erpnext < 15.111.0 < 15.111.0
erpnext >= 16.0.0, < 16.22.0 < 16.0.0, 16.22.0
