Server-Side Template Injection in ERPNext by Frappe
CVE-2026-55242

8.8HIGH

Key Information:

Vendor

Frappe

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-55242?

ERPNext, an open source Enterprise Resource Planning tool developed by Frappe, is vulnerable to a server-side template injection issue. An authenticated user with standard permissions can exploit this vulnerability through a misconfigured field, potentially leading to unauthorized access and disclosure of sensitive data beyond their usual permission boundaries. This critical flaw has been addressed in versions 15.111.0 and 16.22.0, making it essential for users to upgrade to these releases to safeguard their systems.

Affected Version(s)

erpnext < 15.111.0 < 15.111.0

erpnext >= 16.0.0, < 16.22.0 < 16.0.0, 16.22.0

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.