CVE-2026-32954

Received Received - Intake

Blind SQL Injection in ERP Endpoints Allows Data Exposure

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information. This issue has been fixed in versions 15.100.0 and 16.8.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-20

Last Modified

2026-03-23

Generated

2026-06-16

AI Q&A

2026-03-20

EPSS Evaluated

2026-06-14

NVD

CVE-2026-32954

EUVD

EUVD-2026-13547

Affected Vendors & Products

Vendor	Product	Version / Range
frappe	erpnext	to 15.100.0 (exc)
frappe	erpnext	From 16.0.0 (inc) to 16.8.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

The vulnerability affects ERP, a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection attacks. This was due to insufficient parameter validation, which allowed attackers to infer information from the database by exploiting these injection points.

Impact Analysis

This vulnerability can allow an attacker to extract sensitive database information by exploiting blind SQL injection flaws. Although it does not directly allow modification or deletion of data, the attacker can infer confidential data, which can lead to information disclosure. The CVSS score indicates a high impact on confidentiality with a score of 7.1.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the vulnerability, upgrade ERPNext to version 15.100.0 or later, or version 16.8.0 or later, as these versions include fixes for the SQL injection issues.

Hi! I’m here to help you understand CVE-2026-32954. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-32954

Blind SQL Injection in ERP Endpoints Allows Data Exposure

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart