CVE-2026-44445

UNKNOWN 0.0

ERPNext: XML External Entity (XEE) Reference Vulnerability in the EDI Module

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enables an authenticated attacker to read files from the local file system, including sensitive configuration files. This vulnerability is fixed in 15.104.3 and 16.12.0.

CWE	CWE-611
Vendor	frappe
Product	erpnext
Published	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for frappe erpnext

Be the first to know when new unknown vulnerabilities affecting frappe erpnext are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

frappe / erpnext

>= 16.0.0-beta.1, < 16.12.0 < 15.104.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/frappe/erpnext/security/advisories/GHSA-mhm9-75w7-423r