CVE-2026-44446

Severity CVSS v4.0:
Pending analysis
Type:
CWE-89 SQL Injection
Publication date:
13/05/2026
Last modified:
14/05/2026

Description

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 15.104.3 and 16.14.0.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:* 15.104.3 (excluding)
cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:* 16.0.0 (including) 16.14.0 (excluding)