| Summary | ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered. |
|---|---|
| Publication Date | May 6, 2026, 2:17 a.m. |
| Registration Date | May 6, 2026, 4:07 a.m. |
| Last Update | May 6, 2026, 2:17 a.m. |