Primary

Context

ERPNext Server-Side Request Forgery Vulnerability

Vulnerability

Patched

A server-side request forgery (SSRF) vulnerability has been identified in ERPNext versions prior to 15.106.0 and 16.16.0. This vulnerability allows a malicious user to send a crafted request to an endpoint, which then leads the server to make an HTTP call to a service of the user's choice.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the server is tricked into making requests to internal or external services on behalf of the attacker.

Remediation

Users are advised to upgrade to ERPNext versions 15.106.0 or 16.16.0.

Added: May 13, 2026, 10:23 PM

Updated: May 13, 2026, 10:23 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

0.4

exploitability

4.3

remediation

7.7

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

0.4

exploitability

4.3

remediation

7.7

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ERPNext Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

ERPNext

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating