CVE-2023-54345 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: May 5, 2026
Frappe Framework ERPNext - Command Injection
Published: May 5, 2026Updated: May 5, 2026Remote Exploitable
Overview
Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability caused by frame introspection in RestrictedPython, letting authenticated System Manager users execute arbitrary code via server scripts.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Authenticated System Manager users can execute arbitrary system commands, potentially leading to full server compromise.
Mitigation
Update to the latest version of ERPNext.
References
- https://ur4ndom.dev/posts/2023-07-02-uiuctf-rattler-read/
- https://www.exploit-db.com/exploits/51580
- https://www.vulncheck.com/advisories/frappe-framework-erpnext-remote-code-execution
- http://erpnext.org
- https://frappeframework.com/docs/v13/user/en/desk/scripting/server-script
- https://gist.github.com/lebr0nli/c2fc617390451f0e5a4c31c87d8720b6
- https://github.com/frappe/frappe/
- https://github.com/frappe/frappe/blob/v13.4.0/frappe/utils/safe_exec.py#L42
Related Resources
Details
- CVE ID
- CVE-2023-54345
- Severity
- High
- CVSS Score
- 8.8
- Type
- command_injection
- Status
- new
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H