CVE-2026-38431
CRITICAL NVDCVSS Score
9.8
Severity
CRITICAL
Source
NVD
Published
May 05, 2026
Description
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.