Total
43 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-31877 | 1 Frappe | 1 Frappe | 2026-03-13 | N/A | 9.8 CRITICAL |
| Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0. | |||||
| CVE-2026-31878 | 1 Frappe | 1 Frappe | 2026-03-13 | N/A | 5.0 MEDIUM |
| Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0. | |||||
| CVE-2026-31879 | 1 Frappe | 1 Frappe | 2026-03-13 | N/A | 5.4 MEDIUM |
| Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in 14.100.2, 15.101.0, and 16.10.0. | |||||
| CVE-2026-28436 | 1 Frappe | 1 Frappe | 2026-03-09 | N/A | 7.2 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0. | |||||
| CVE-2026-29077 | 1 Frappe | 1 Frappe | 2026-03-09 | N/A | 7.1 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0. | |||||
| CVE-2026-29081 | 1 Frappe | 1 Frappe | 2026-03-09 | N/A | 6.5 MEDIUM |
| Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0. | |||||
| CVE-2026-25956 | 1 Frappe | 1 Frappe | 2026-02-17 | N/A | 6.1 MEDIUM |
| Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user signs up. This vulnerability is fixed in 14.99.14 and 15.94.0. | |||||
| CVE-2025-68953 | 1 Frappe | 1 Frappe | 2026-01-09 | N/A | 7.5 HIGH |
| Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. Arbitrary files from the server could be retrieved due to a lack of proper sanitization on some requests. This issue is fixed in versions 14.99.6 and 15.88.1. To workaround, changing the setup to use a reverse proxy is recommended. | |||||
| CVE-2025-67289 | 1 Frappe | 2 Erpnext, Frappe | 2026-01-02 | N/A | 9.6 CRITICAL |
| An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file. | |||||
| CVE-2025-68929 | 1 Frappe | 1 Frappe | 2025-12-31 | N/A | 9.0 CRITICAL |
| Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available. | |||||
| CVE-2025-65267 | 1 Frappe | 2 Erpnext, Frappe | 2025-12-05 | N/A | 9.0 CRITICAL |
| In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance. | |||||
| CVE-2025-66205 | 1 Frappe | 1 Frappe | 2025-12-04 | N/A | 7.1 HIGH |
| Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2. | |||||
| CVE-2025-66206 | 1 Frappe | 1 Frappe | 2025-12-04 | N/A | 6.8 MEDIUM |
| Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, certain requests were vulnerable to path traversal attacks, wherein some files from the server could be retrieved if the full path was known. Sites hosted on Frappe Cloud, and even other setups that are behind a reverse proxy like NGINX are unaffected. This would mainly affect someone directly using werkzeug/gunicorn. In those cases, either an upgrade or changing the setup to use a reverse proxy is recommended. This vulnerability is fixed in 15.86.0 and 14.99.2. | |||||
| CVE-2025-62407 | 1 Frappe | 1 Frappe | 2025-10-23 | N/A | 6.1 MEDIUM |
| Frappe is a full-stack web application framework. Prior to 14.98.0 and 15.83.0, an open redirect was possible through the redirect argument on the login page, if a specific type of URL was passed in. This vulnerability is fixed in 14.98.0 and 15.83.0. | |||||
| CVE-2025-56379 | 1 Frappe | 2 Erpnext, Frappe | 2025-10-03 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field. | |||||
| CVE-2025-56380 | 1 Frappe | 2 Erpnext, Frappe | 2025-10-03 | N/A | 6.5 MEDIUM |
| Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter | |||||
| CVE-2025-56381 | 1 Frappe | 2 Erpnext, Frappe | 2025-10-03 | N/A | 6.5 MEDIUM |
| ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters. | |||||
| CVE-2025-52048 | 1 Frappe | 1 Frappe | 2025-09-20 | N/A | 6.5 MEDIUM |
| In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the `dt` parameter. | |||||
| CVE-2025-55731 | 1 Frappe | 1 Frappe | 2025-08-22 | N/A | 8.8 HIGH |
| Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15. | |||||
| CVE-2025-55732 | 1 Frappe | 1 Frappe | 2025-08-22 | N/A | 7.5 HIGH |
| Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released for CVE-2025-52895. This vulnerability is fixed in 15.74.2 and 14.96.15. | |||||