CVE-2026-27471

EUVD-2026-7727
ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
frappeerpnext
𝑥
< 15.98.1
frappeerpnext
16.0.0 <
𝑥
< 16.6.1
frappeerpnext
16.0.0
frappeerpnext
16.0.0:rc1
frappeerpnext
16.0.0:rc2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/frappe/erpnext/commit/78fc9424d9085c2eafe1211931e22d7044f85fc7
https://github.com/frappe/erpnext/security/advisories/GHSA-wpfx-jw7g-7f83