ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.Referenceshttps://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-engine
