CVE-2026-32954

High

Published: 20 March 2026

Published

20 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

EPSS Score 0.0004 13.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32954 is a high-severity SQL Injection (CWE-89) vulnerability in Frappe Erpnext. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates blind SQL injection by enforcing validation of parameters at vulnerable endpoints lacking sufficient input checks.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation through patching to fixed ERPNext versions 15.100.0 and 16.8.0, eliminating the SQL injection vulnerability.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection with web application firewalls inspects and blocks SQL injection payloads targeting the vulnerable endpoints.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

Blind SQL injection in public-facing ERPNext web endpoints directly enables remote exploitation of the application (T1190). Successful attacks allow inference of backend database contents, directly facilitating data collection from databases (T1213.006).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information.…

This issue has been fixed in versions 15.100.0 and 16.8.0.

Deeper analysisAI

CVE-2026-32954 is a blind SQL injection vulnerability affecting ERPNext, a free and open-source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints lack sufficient parameter validation, enabling time-based and boolean-based blind SQL injection attacks that allow attackers to infer sensitive database information. The vulnerability is rated with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) and is associated with CWE-89 (SQL Injection). It was published on 2026-03-20.

Attackers with low privileges, such as authenticated users, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation primarily grants high confidentiality impact by allowing inference of database contents, with a low availability impact possible due to potential query delays from time-based techniques.

The Frappe ERPNext security advisory (GHSA-j669-ghv2-gmqg) and release notes confirm the issue is fixed in versions 15.100.0 and 16.8.0, recommending immediate upgrades for affected installations. Relevant patch details are available in the GitHub release tags for v15.100.0 and v16.8.0.

Details

CWE(s): CWE-89

Affected Products

frappe

erpnext

≤ 15.100.0 · 16.0.0 — 16.8.0

CVEs Like This One

CVE-2025-66434Same product: Frappe Erpnext

CVE-2026-27471Same product: Frappe Erpnext

CVE-2025-66437Same product: Frappe Erpnext

CVE-2025-30217Same vendor: Frappe

CVE-2026-31877Same vendor: Frappe

CVE-2023-54345Same product: Frappe Erpnext

CVE-2026-35614Same vendor: Frappe

CVE-2025-67289Same product: Frappe Erpnext

CVE-2026-29081Same vendor: Frappe

CVE-2025-30212Same vendor: Frappe

References

https://github.com/frappe/erpnext/releases/tag/v15.100.0
Product, Release Notes · security-advisories@github.com
https://github.com/frappe/erpnext/releases/tag/v16.8.0
Product, Release Notes · security-advisories@github.com
https://github.com/frappe/erpnext/security/advisories/GHSA-j669-ghv2-gmqg
Vendor Advisory · security-advisories@github.com