Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-38431: ERPNext Email Templates Can Execute Malicious Code
CVE-2026-38431
Summary
ERPNext versions before 15.103.1 have a security flaw in their email template system. An attacker with permission to create or edit email templates can potentially inject malicious code that can be executed on the server. This could lead to unauthorized access or data breaches. ERPNext users should update to version 15.103.1 or later to fix this issue.
Original title
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed ...
Original description
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.
Vulnerability type
CWE-94
Code Injection
Published: 5 May 2026 · Updated: 28 May 2026 · First seen: 5 May 2026