CVE-2026-55242 PUBLISHED

ERPNext: Server-Side Template Injection (SSTI) in Batch autonaming via Stock Settings.naming_series_prefix

Assigner: GitHub_M
Reserved: 16.06.2026 Published: 15.07.2026 Updated: 15.07.2026

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.111.0 and 16.22.0, an authenticated user with a standard operational role can trigger server-side template injection through a configuration field, resulting in unauthorized disclosure of data outside the user's normal permission scope. This issue is fixed in versions 15.111.0 and 16.22.0.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 8.8

Product Status

Vendor frappe
Product erpnext
Versions
  • Version < 15.111.0 is affected
  • Version >= 16.0.0, < 16.22.0 is affected

References

Problem Types

  • CWE-863: Incorrect Authorization CWE
  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine CWE