CVE-2026-44446

Frappe · ERPNext

ERPNext contains a SQL injection vulnerability that allows authenticated users to execute arbitrary SQL commands due to improper input sanitization.

Executive summary

An authenticated SQL injection vulnerability in ERPNext (CVE-2026-44446) presents a critical risk, enabling attackers to compromise database integrity and confidentiality.

Vulnerability

This is a CWE-89 (SQL Injection) vulnerability occurring in the application's query handling layer. Exploitation requires the attacker to be authenticated, though the impact is severe, potentially allowing for full administrative control over the underlying database.

Business impact

The ability to inject arbitrary SQL queries allows an attacker to exfiltrate sensitive corporate data, alter financial or operational records, or gain unauthorized administrative access. The CVSS score of 8.8 underscores the severity of this risk, posing a threat to the core reliability and security of the ERP system.

Remediation

Immediate Action: Update ERPNext to version 16.14.0 or 15.104.3, depending on the current branch in use.

Proactive Monitoring: Review application access logs and database audit trails for unauthorized query attempts or signs of anomalous database activity.

Compensating Controls: Implement strict input validation at the application level and utilize a WAF to block common SQL injection payloads.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Immediate remediation is required to secure the database layer. IT teams should verify their current version against the affected ranges and apply the vendor-provided patches as soon as possible to mitigate the risk of data breach.