Home / Vulnerability Intelligence / CVE-2026-38431

CVE-2026-38431 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: May 6, 2026

ERPNext - Server-Side Template Injection

Published: May 5, 2026Updated: May 6, 2026Remote Exploitable

Overview

ERPNext <= 15.103.1 contains a server-side template injection caused by insufficient sanitization of email templates, letting attackers with template edit permissions execute arbitrary code on the server, exploit requires permission to create or edit email templates.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers with template edit permissions can execute arbitrary code on the server, potentially leading to full system compromise.

Mitigation

Update to the latest version beyond 15.103.1.

References

https://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-engine

Related Resources

Details

CVE ID: CVE-2026-38431
Severity: Critical
CVSS Score: 9.8
Type: template_injection
Status: new

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H