Scan free
HIGHCVE-2026-44447CVSS 8.8

CVE-2026-44447: SQL Injection in ERPNext

Platform

php

Component

erpnext

Fixed in

16.9.0

View on NVD
Save

CVE-2026-44447 describes a SQL Injection vulnerability affecting ERPNext, a free and open-source ERP system. This flaw allows attackers to extract sensitive information from the database through specially crafted requests. The vulnerability impacts versions 0.0.0 up to, but not including, 16.9.0. A patch is available in version 16.9.0.

Impact and Attack Scenarios

Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication and authorization controls, gaining unauthorized access to the ERPNext database. Sensitive data such as user credentials, financial records, customer information, and inventory data could be compromised. Depending on the database configuration and permissions, an attacker might even be able to modify or delete data, leading to significant operational disruption and potential financial losses. The blast radius extends to any system relying on the integrity of the ERPNext database.

Exploitation Context

This vulnerability was published on May 13, 2026. As of this date, there are no publicly known active campaigns exploiting CVE-2026-44447. No public Proof-of-Concept (POC) code has been released. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componenterpnext
Vendorfrappe
Minimum version0.0.0
Maximum version< 16.9.0
Fixed in16.9.0

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

The primary mitigation for CVE-2026-44447 is to upgrade ERPNext to version 16.9.0 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts targeting vulnerable endpoints. Input validation and sanitization on the application layer can also help reduce the attack surface. Regularly review and harden database permissions to limit the potential impact of a successful attack. After upgrading, verify the fix by attempting a SQL injection payload on a known vulnerable endpoint and confirming that it is blocked.

How to fix

Actualice a la versión 16.9.0 o posterior para mitigar la vulnerabilidad de inyección SQL.  Verifique las notas de la versión para obtener instrucciones de actualización específicas y posibles cambios en la configuración.  Implemente validaciones de entrada robustas en todos los puntos de entrada de datos para prevenir futuras inyecciones SQL.

Frequently asked questions

What is CVE-2026-44447 — SQL Injection in ERPNext?

CVE-2026-44447 is a high-severity SQL Injection vulnerability affecting ERPNext versions 0.0.0 through 16.9.0. It allows attackers to extract sensitive data via crafted requests.

Am I affected by CVE-2026-44447 in ERPNext?

You are affected if you are running ERPNext versions 0.0.0 through 16.8.9. Upgrade to 16.9.0 to resolve the vulnerability.

How do I fix CVE-2026-44447 in ERPNext?

Upgrade ERPNext to version 16.9.0 or later. As a temporary workaround, implement a WAF with SQL injection protection rules.

Is CVE-2026-44447 being actively exploited?

As of May 13, 2026, there are no publicly known active campaigns exploiting CVE-2026-44447, but continuous monitoring is recommended.

Where can I find the official ERPNext advisory for CVE-2026-44447?

Refer to the official ERPNext security advisories on their website or GitHub repository for the latest information and updates regarding CVE-2026-44447.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...