CVE-2026-32954

Received Received - Intake

Blind SQL Injection in ERP Endpoints Allows Data Exposure

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information. This issue has been fixed in versions 15.100.0 and 16.8.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-20

Last Modified

2026-03-23

Generated

2026-05-06

AI Q&A

2026-03-20

EPSS Evaluated

2026-05-05

NVD

CVE-2026-32954

EUVD

EUVD-2026-13547

Affected Vendors & Products

Vendor	Product	Version / Range
frappe	erpnext	to 15.100.0 (exc)
frappe	erpnext	From 16.0.0 (inc) to 16.8.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Powered Q&A

Can you explain this vulnerability to me?

The vulnerability affects ERP, a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection attacks. This was due to insufficient parameter validation, which allowed attackers to infer information from the database by exploiting these injection points.

How can this vulnerability impact me? :

This vulnerability can allow an attacker to extract sensitive database information by exploiting blind SQL injection flaws. Although it does not directly allow modification or deletion of data, the attacker can infer confidential data, which can lead to information disclosure. The CVSS score indicates a high impact on confidentiality with a score of 7.1.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know

What immediate steps should I take to mitigate this vulnerability?

To mitigate the vulnerability, upgrade ERPNext to version 15.100.0 or later, or version 16.8.0 or later, as these versions include fixes for the SQL injection issues.

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2026-32954

Blind SQL Injection in ERP Endpoints Allows Data Exposure

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart