A vulnerability marked as critical has been reported in Frappe ERPNext up to 16.8.x . The affected element is an unknown function. This manipulation causes sql injection. This vulnerability is tracked as CVE-2026-44447 . The attack is possible to be carried out remotely. No exploit exists. It is suggested to upgrade the affected component.