A vulnerability labeled as critical has been found in Frappe ERPNext up to 15.104.2/16.13.x . Impacted is an unknown function. The manipulation results in sql injection. This vulnerability is identified as CVE-2026-44446 . The attack can be executed remotely. There is not any exploit available. The affected component should be upgraded.