PT-2026-60210 · Frappe · Erpnext
Published
2026-07-15
·
Updated
2026-07-15
·
CVE-2026-55242
CVSS v3.1
8.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.111.0 and 16.22.0, an authenticated user with a standard operational role can trigger server-side template injection through a configuration field, resulting in unauthorized disclosure of data outside the user's normal permission scope. This issue is fixed in versions 15.111.0 and 16.22.0.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Erpnext