ERPNext Server-Side Template Injection Vulnerability in Email Template Rendering

Vulnerability

A Server-Side Template Injection (SSTI) vulnerability exists in ERPNext versions through 15.103.1. This issue allows an attacker with the ability to create or edit email templates to inject template expressions. These expressions are executed on the server when the template is rendered, potentially leading to unauthorized actions or information disclosure.

Impact

Exploitation of this vulnerability allows for Server-Side Template Injection, where injected template expressions are executed on the server during template rendering. This could lead to arbitrary code execution or other malicious actions, depending on the injected content.

Added: May 5, 2026, 5:19 PM

Updated: May 5, 2026, 5:19 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

6.2

remediation

0.0

relevance

7.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

6.2

remediation

0.0

relevance

7.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ERPNext Server-Side Template Injection Vulnerability in Email Template Rendering

Vulnerability

Impact

Affected Products

ERPNext

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating