HIGHCVE-2026-32954Published 2026-03-20Modified 2026-03-20CNA GitHub_M

CVE-2026-32954: ERP has a possibility SQL Injection vulnerability due to missing validation

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information. This issue has been fixed in versions 15.100.0 and 16.8.0.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

frappe / erpnext
>= 16.0.0-beta.1, < 16.8.0 · < 15.100.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

References

https://github.com/frappe/erpnext/security/advisories/GHSA-j669-ghv2-gmqg
https://github.com/frappe/erpnext/releases/tag/v15.100.0
https://github.com/frappe/erpnext/releases/tag/v16.8.0

Metrics