Filtered by vendor Frappe
Subscribe
Total
130 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11283 | 1 Frappe | 1 Learning | 2026-04-29 | 3.3 LOW | 2.4 LOW |
| A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | |||||
| CVE-2025-11280 | 1 Frappe | 1 Learning | 2026-04-29 | 2.6 LOW | 3.7 LOW |
| A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | |||||
| CVE-2025-11282 | 1 Frappe | 1 Learning | 2026-04-29 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | |||||
| CVE-2026-28436 | 1 Frappe | 1 Frappe | 2026-04-29 | N/A | 7.2 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0. | |||||
| CVE-2026-40888 | 1 Frappe | 1 Frappe Hr | 2026-04-27 | N/A | 6.5 MEDIUM |
| Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available. | |||||
| CVE-2026-40889 | 1 Frappe | 1 Frappe Hr | 2026-04-27 | N/A | 6.5 MEDIUM |
| Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available. | |||||
| CVE-2026-41320 | 1 Frappe | 1 Frappe Hr | 2026-04-27 | N/A | 6.5 MEDIUM |
| Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available. | |||||
| CVE-2026-31017 | 1 Frappe | 2 Erpnext, Frappe | 2026-04-14 | N/A | 9.1 CRITICAL |
| A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure. | |||||
| CVE-2025-10655 | 1 Frappe | 1 Helpdesk | 2026-04-14 | N/A | 8.8 HIGH |
| SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0. | |||||
| CVE-2026-35614 | 1 Frappe | 1 Frappe | 2026-04-13 | N/A | 9.8 CRITICAL |
| Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This vulnerability is fixed in 16.14.0 and 15.104.0. | |||||
| CVE-2026-39415 | 1 Frappe | 1 Learning | 2026-04-13 | N/A | 4.3 MEDIUM |
| Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated scores, which can be altered using browser developer tools prior to sending the submission request. While this does not allow modification of other users’ data or privilege escalation, it compromises the integrity of quiz results and undermines academic reliability. This issue affects data integrity but does not expose confidential information or allow unauthorized access to other accounts. This vulnerability is fixed in 2.46.0. | |||||
| CVE-2026-39351 | 1 Frappe | 1 Frappe | 2026-04-10 | N/A | 9.1 CRITICAL |
| Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit. | |||||
| CVE-2026-34606 | 1 Frappe | 1 Learning | 2026-04-07 | N/A | 6.1 MEDIUM |
| Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0. | |||||
| CVE-2026-32954 | 1 Frappe | 1 Erpnext | 2026-03-23 | N/A | 7.1 HIGH |
| ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information. This issue has been fixed in versions 15.100.0 and 16.8.0. | |||||
| CVE-2026-31877 | 1 Frappe | 1 Frappe | 2026-03-13 | N/A | 9.8 CRITICAL |
| Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0. | |||||
| CVE-2026-31878 | 1 Frappe | 1 Frappe | 2026-03-13 | N/A | 5.0 MEDIUM |
| Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0. | |||||
| CVE-2026-31879 | 1 Frappe | 1 Frappe | 2026-03-13 | N/A | 5.4 MEDIUM |
| Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in 14.100.2, 15.101.0, and 16.10.0. | |||||
| CVE-2026-29077 | 1 Frappe | 1 Frappe | 2026-03-09 | N/A | 7.1 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0. | |||||
| CVE-2026-29081 | 1 Frappe | 1 Frappe | 2026-03-09 | N/A | 6.5 MEDIUM |
| Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0. | |||||
| CVE-2026-27471 | 1 Frappe | 1 Erpnext | 2026-02-24 | N/A | 9.1 CRITICAL |
| ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1. | |||||