CVE-2026-44440
MEDIUM WAF: High
CVSS 5.7
Published: 2026-05-13
CWE-22
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability on an endpoint allows an authenticated adjacent attacker to read arbitrary files. This vulnerability is fixed in 15.101.1 and 16.10.0.
WAF Coverage Analysis
Path Traversal
High WAF Coverage
OWASP: A01:2021 Broken Access Control
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| frappe | erpnext | up to 15.101.1 |
| frappe | erpnext | 16.0.0 - 16.10.0 |
References
- github.com (Vendor Advisory)