SB2026043014 - Multiple vulnerabilities in ERPNext
Published: April 30, 2026 Updated: April 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform unauthorized actions, access and modify data, and steal tokens.
The vulnerability exists due to cross-site scripting in dashboards, tools, and portals when rendering crafted record names. A remote user can craft record names to perform unauthorized actions, access and modify data, and steal tokens.
User interaction is required to trigger the injected script.
2) XML External Entity injection (CVE-ID: CVE-2026-44445)
CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper restriction of xml external entity reference in the EDI Module when processing XML documents. A remote user can supply a crafted XML document to disclose sensitive information.
The issue can expose files from the local file system, including sensitive configuration files.
Remediation
Install update from vendor's website.