CVE-2026-32954

Published: Mar 20, 2026

Modified: Mar 20, 2026

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information. This issue has been fixed in versions 15.100.0 and 16.8.0.

Vendor	Product	Versions
frappe	erpnext	affected `>= 16.0.0-beta.1, < 16.8.0` affected `< 15.100.0`

Weaknesses (CWE)

CWE-89

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

Low

References

https://github.com/frappe/erpnext/security/advisories/GHSA-j669-ghv2-gmqg

x_refsource_CONFIRM

https://github.com/frappe/erpnext/releases/tag/v15.100.0

x_refsource_MISC

https://github.com/frappe/erpnext/releases/tag/v16.8.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-32954

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References