Primary

Context

ERPNext XML External Entity Reference Vulnerability in EDI Module Allowing File Read

Vulnerability

Patched

A vulnerability allowing improper restriction of XML external entity (XXE) references has been identified in the EDI Module of ERPNext, an open-source Enterprise Resource Planning tool. This vulnerability affects versions prior to 15.104.3 and 16.12.0, and enables authenticated attackers to read files from the local file system, including sensitive configuration files. The issue has been addressed in the latest releases of ERPNext.

Impact

Exploitation of this vulnerability allows authenticated attackers to read local files, potentially including sensitive configuration information.

Remediation

Users are advised to upgrade to ERPNext versions 15.104.3 or 16.12.0.

Added: May 13, 2026, 10:23 PM

Updated: May 13, 2026, 10:23 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

3.3

exploitability

4.9

remediation

7.7

relevance

8.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

3.3

exploitability

4.9

remediation

7.7

relevance

8.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ERPNext XML External Entity Reference Vulnerability in EDI Module Allowing File Read

Vulnerability

Impact

Remediation

Affected Products

ERPNext

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating