CVE-2026-38431CRITICAL 9.8EPSS p30.7%

CVE-2026-38431CVE-2026-38431

Description

ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.39% probability of exploitation · percentile 30.7% · 2026-06-19T12:03:05Z
Published2026-05-05
Last modified2026-05-08

Underlying weaknesses· 1

CWE-94

References

  1. https://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-engine
  2. https://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-engine

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66434
CVE
CVE-2025-66437
CVE
CVE-2025-66438
CVE
CVE-2025-70830
CVE
CVE-2026-31017
CVE
CVE-2023-22952
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.