SB2026043014 - Multiple vulnerabilities in ERPNext



SB2026043014 - Multiple vulnerabilities in ERPNext

Published: April 30, 2026 Updated: April 30, 2026

Security Bulletin ID SB2026043014
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform unauthorized actions, access and modify data, and steal tokens.

The vulnerability exists due to cross-site scripting in dashboards, tools, and portals when rendering crafted record names. A remote user can craft record names to perform unauthorized actions, access and modify data, and steal tokens.

User interaction is required to trigger the injected script.


2) XML External Entity injection (CVE-ID: CVE-2026-44445)

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper restriction of xml external entity reference in the EDI Module when processing XML documents. A remote user can supply a crafted XML document to disclose sensitive information.

The issue can expose files from the local file system, including sensitive configuration files.


Remediation

Install update from vendor's website.