CVE-2026-55242
HIGH
NVD
CVSS Score
8.8
Severity
HIGH
Published
Jul 15, 2026
Vendor
unknown
Description
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.111.0 and 16.22.0, an authenticated user with a standard operational role can trigger server-side template injection through a configuration field, resulting in unauthorized disclosure of data outside the user's normal permission scope. This issue is fixed in versions 15.111.0 and 16.22.0.