CVE-2026-32954

EUVD-2026-13547
ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information. This issue has been fixed in versions 15.100.0 and 16.8.0.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
GitHub_MCNA
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
frappeerpnext
𝑥
< 15.100.0
frappeerpnext
16.0.0 ≤
𝑥
< 16.8.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/frappe/erpnext/releases/tag/v15.100.0
https://github.com/frappe/erpnext/releases/tag/v16.8.0
https://github.com/frappe/erpnext/security/advisories/GHSA-j669-ghv2-gmqg