ERPNext: Possibility of SQL Injection due to missing validation

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 15.104.3 and 16.14.0.

AI Analysis

SQL injection vulnerability in ERPNext due to missing validation, allowing extraction of sensitive information

Basic Information

ID CVE-2026-44446

Source GitHub_M

Published May 13, 2026 at 21:18

Affected Product

Vendor frappe

Product erpnext

Version >= 16.0.0-beta.1, < 16.14.0

Affected Versions frappe erpnext >= 16.0.0-beta.1, < 16.14.0
frappe erpnext < 15.104.3

CWE Classification

CWE-89

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Frappe

Product ERPNext

Version <= 16.0.0-beta.1, < 16.14.0, < 15.104.3

References

github.com /frappe/erpnext/security/advisories/GHSA-6fm9-g88m-hxr7

{
    "lastseen": "",
    "description": "ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 15.104.3 and 16.14.0.",
    "published": "2026-05-13T21:18:17.477Z",
    "modified": "2026-05-13T21:18:17.477Z",
    "type": "cve",
    "title": "ERPNext: Possibility of SQL Injection due to missing validation",
    "source": "GitHub_M",
    "references": "https://github.com/frappe/erpnext/security/advisories/GHSA-6fm9-g88m-hxr7",
    "id": "CVE-2026-44446",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "frappe erpnext >= 16.0.0-beta.1, < 16.14.0\nfrappe erpnext < 15.104.3",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "erpnext",
    "version": ">= 16.0.0-beta.1, < 16.14.0",
    "vendor": "frappe",
    "ai_description": "SQL injection vulnerability in ERPNext due to missing validation, allowing extraction of sensitive information",
    "ai_severity": "High",
    "ai_vendor": "Frappe",
    "ai_product": "ERPNext",
    "ai_version": "<= 16.0.0-beta.1, < 16.14.0, < 15.104.3",
    "ai_score": 8.8
}

ERPNext: Possibility of SQL Injection due to missing validation_CVE-2026-44446