CVE-2023-54345

CVE Database · CVE-2023-54345

CVE-2023-54345

· HIGHAnalyzed

CVSS v3.1

8.8

CVSS v4.0

8.7

EPSS

0.61%

Published

May 5, 2026

Modified

May 5, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the gi_frame attribute to traverse the call stack and invoke os.popen to execute system commands.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-94

Affected Products (1)

frappe · erpnextvulnerable

References (8)

http://erpnext.org

Product

https://frappeframework.com/docs/v13/user/en/desk/scripting/server-script

Product

https://gist.github.com/lebr0nli/c2fc617390451f0e5a4c31c87d8720b6