EIP-2026-104242

PRE-CVE

ERPNext 12.14.0 - SQL Injection (Authenticated)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104242. PoCs published by Hodorsec.

AI-analyzed exploit summary This is a functional exploit for an authenticated SQL injection vulnerability in ERPNext 12.14.0. It leverages unsanitized 'or_filters' and 'filters' parameters in the 'frappe.model.db_query.get_list' function to perform time-based blind SQL injection, retrieve admin reset tokens, and reset the admin password.

Description

ERPNext 12.14.0 - SQL Injection (Authenticated)

Exploits (1)

exploitdb WORKING POC

by Hodorsec · pythonwebappsmultiple

https://www.exploit-db.com/exploits/49464

View Code ZIP pw:eip

This is a functional exploit for an authenticated SQL injection vulnerability in ERPNext 12.14.0. It leverages unsanitized 'or_filters' and 'filters' parameters in the 'frappe.model.db_query.get_list' function to perform time-based blind SQL injection, retrieve admin reset tokens, and reset the admin password.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: ERPNext 12.14.0

Auth required

Prerequisites: Valid low-privileged user credentials · Access to the ERPNext web interface

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026