CVE-2026-44445

Published: Mag 14, 2026 Last Modified: Mag 14, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enables an authenticated attacker to read files from the local file system, including sensitive configuration files. This vulnerability is fixed in 15.104.3 and 16.12.0.

611

Improper Restriction of XML External Entity Reference

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability

Potential Impacts:

Read Application Data Read Files Or Directories Bypass Protection Mechanism Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory)

Applicable Platforms

Languages: Not Language-Specific, XML

Technologies: Not Technology-Specific, Web Based

View CWE Details

https://github.com/frappe/erpnext/security/advisories/GHSA-…

https://github.com/frappe/erpnext/security/advisories/GHSA-mhm9-75w7-423r

CVE-2026-44445

Description

Improper Restriction of XML External Entity Reference

Common Consequences

Applicable Platforms

Iscriviti alla newsletter