{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32954", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.285Z", "datePublished": "2026-03-20T04:30:26.360Z", "dateUpdated": "2026-03-20T04:30:26.360Z"}, "containers": {"cna": {"title": "ERP has a possibility SQL Injection vulnerability due to missing validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/frappe/erpnext/security/advisories/GHSA-j669-ghv2-gmqg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/erpnext/security/advisories/GHSA-j669-ghv2-gmqg"}, {"name": "https://github.com/frappe/erpnext/releases/tag/v15.100.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/erpnext/releases/tag/v15.100.0"}, {"name": "https://github.com/frappe/erpnext/releases/tag/v16.8.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/erpnext/releases/tag/v16.8.0"}], "affected": [{"vendor": "frappe", "product": "erpnext", "versions": [{"version": ">= 16.0.0-beta.1, < 16.8.0", "status": "affected"}, {"version": "< 15.100.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T04:30:26.360Z"}, "descriptions": [{"lang": "en", "value": "ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information. This issue has been fixed in versions 15.100.0 and 16.8.0."}], "source": {"advisory": "GHSA-j669-ghv2-gmqg", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information. This issue has been fixed in versions 15.100.0 and 16.8.0."}], "id": "CVE-2026-32954", "lastModified": "2026-03-20T05:16:14.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T05:16:14.877", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/frappe/erpnext/releases/tag/v15.100.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/frappe/erpnext/releases/tag/v16.8.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/frappe/erpnext/security/advisories/GHSA-j669-ghv2-gmqg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.0-beta.1,16.8.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,15.100.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "erpnext", "source": "cna", "vendor": "frappe"}, "product": "erpnext", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-03-20T05:21:09.193792+00:00", "value": {"mitigation_remediation": ["Upgrade ERPNext to version 15.100.0 or later, or 16.8.0 or later. This releases contain the fix for the blind SQL injection.", "Verify that the previously vulnerable endpoints have been removed or secured in the upgraded deployment."], "summary": {"action": "Patch", "impact": "SQL Injection (Information Disclosure)"}, "threat_synthesis": {"affected_systems": "Affected vendors and products are frappe:erpnext. Versions prior to 15.100.0 and 16.8.0 contain the flaw. This includes any 15.x releases older than 15.100.0 and any 16.x releases older than 16.8.0. The public advisories and release notes confirm that the issue is fixed in those two versions.", "description_and_impact": "The vulnerability is a blind SQL injection that arises from missing validation on certain ERPNext endpoints. By sending time-based or boolean-based injection payloads, an attacker can infer sensitive database information. The primary impact is the disclosure of confidential data such as user credentials, business records, or other stored information. The weakness corresponds to CWE-89, an SQL injection failure-of-constraint violation. Based on the description, it is inferred that the injection can be made without executing arbitrary code; however, the data exfiltration it enables constitutes a significant confidentiality breach.", "risk_and_exploitability": "The CVSS base score is 7.1, indicating high severity. EPSS is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is remote, via an exposed web endpoint that accepts unsanitized input. Exploitation requires sending crafted SQL payloads; it is a blind attack, so an attacker would need to observe timing or boolean responses to gather data. Overall risk is high for affected installations that expose the vulnerable endpoints, with a realistic chance of successful exploitation if no mitigation is applied."}}}}, "created": "2026-03-20T08:52:39.040862+00:00", "updated": "2026-03-20T10:37:20.729493+00:00", "vendors": ["frappe", "frappe$PRODUCT$erpnext"]}