CVE 9.8 CRITICAL

CVE-2026-38431_CVE-2026-38431

May 6, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.

AI Analysis

Server-Side Template Injection (SSTI) vulnerability in ERPNext v15.103.1 and before

Basic Information

ID CVE-2026-38431

Source mitre

Published May 5, 2026 at 00:00

Modified May 6, 2026 at 15:26

Affected Product

Vendor Frappe Technologies

Product ERPNext

Version v15.103.1 and before

Affected Versions n/a n/a n/a

CWE Classification

CWE-94

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Frappe Technologies

Product ERPNext

Version v15.103.1 and before

References

c0wking.hashnode.dev /ssti-in-erpnext-frappe-email-template-engine

{
    "lastseen": "",
    "description": "ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.",
    "published": "2026-05-05T00:00:00.000Z",
    "modified": "2026-05-06T15:26:19.751Z",
    "type": "cve",
    "title": "CVE-2026-38431",
    "source": "mitre",
    "references": "https://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-engine",
    "id": "CVE-2026-38431",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ERPNext",
    "version": "v15.103.1 and before",
    "vendor": "Frappe Technologies",
    "ai_description": "Server-Side Template Injection (SSTI) vulnerability in ERPNext v15.103.1 and before",
    "ai_severity": "Critical",
    "ai_vendor": "Frappe Technologies",
    "ai_product": "ERPNext",
    "ai_version": "v15.103.1 and before",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply