Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

ERPNext

Source -

CNA

CNA CVEs -

6

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
6Vulnerabilities found
CVE-2026-42839
Assigner-Fluid Attacks
ShareView Details
Assigner-Fluid Attacks
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 14.75%
||
7 Day CHG+0.01%
Published-03 Jun, 2026 | 17:44
Updated-03 Jun, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ERPNext 16.16.0 - Stored XSS in POS cart item rendering

An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a transaction.This issue affects ERPNext: 16.16.0.

Action-Not Available
Vendor-Frappe
Product-ERPNext
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-42840
Assigner-Fluid Attacks
ShareView Details
Assigner-Fluid Attacks
CVSS Score-5.1||MEDIUM
EPSS-0.05% / 16.72%
||
7 Day CHG~0.00%
Published-03 Jun, 2026 | 17:35
Updated-03 Jun, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ERPNext 16.16.0 - Stored XSS in POS customer section via unescaped template literals

An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0.

Action-Not Available
Vendor-Frappe
Product-ERPNext
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6145
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-6.4||MEDIUM
EPSS-1.73% / 82.84%
||
7 Day CHG~0.00%
Published-10 Aug, 2020 | 13:10
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-frappen/a
Product-erpnextERPNext
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-3883
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 49.73%
||
7 Day CHG~0.00%
Published-12 Sep, 2018 | 14:00
Updated-17 Sep, 2024 | 03:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The employee and sort_order parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

Action-Not Available
Vendor-erpnextTalos (Cisco Systems, Inc.)
Product-erpnextERPNext
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-3884
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 49.73%
||
7 Day CHG~0.00%
Published-12 Sep, 2018 | 14:00
Updated-16 Sep, 2024 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The sort_by and start parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

Action-Not Available
Vendor-erpnextTalos (Cisco Systems, Inc.)
Product-erpnextERPNext
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-3885
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 49.73%
||
7 Day CHG~0.00%
Published-12 Sep, 2018 | 14:00
Updated-16 Sep, 2024 | 22:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The order_by parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

Action-Not Available
Vendor-erpnextTalos (Cisco Systems, Inc.)
Product-erpnextERPNext
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')