CVE-2026-44441

Severity CVSS v4.0:
Pending analysis
Type:
CWE-918 Server-Side Request Forgery (SSRF)
Publication date:
13/05/2026
Last modified:
14/05/2026

Description

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 15.106.0 and 16.16.0.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:* 15.106.0 (excluding)
cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:* 16.0.0 (including) 16.16.0 (excluding)