Filtered by vendor Frappe
Subscribe
Total
58 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-56379 | 1 Frappe | 2 Erpnext, Frappe | 2025-10-03 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field. | |||||
| CVE-2023-5555 | 1 Frappe | 1 Learning | 2025-10-03 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Generic in GitHub repository frappe/lms prior to 5614a6203fb7d438be8e2b1e3030e4528d170ec4. | |||||
| CVE-2023-42807 | 1 Frappe | 1 Learning | 2025-10-03 | N/A | 6.3 MEDIUM |
| Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of the app. | |||||
| CVE-2025-52043 | 1 Frappe | 1 Erpnext | 2025-10-03 | N/A | 6.5 MEDIUM |
| In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL query into the company parameter. | |||||
| CVE-2025-52047 | 1 Frappe | 1 Erpnext | 2025-10-03 | N/A | 6.5 MEDIUM |
| In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled parameter. | |||||
| CVE-2025-52049 | 1 Frappe | 1 Erpnext | 2025-10-03 | N/A | 6.5 MEDIUM |
| In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter. | |||||
| CVE-2025-52050 | 1 Frappe | 1 Erpnext | 2025-10-03 | N/A | 6.5 MEDIUM |
| In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the expiry_date parameter. | |||||
| CVE-2025-52039 | 1 Frappe | 1 Erpnext | 2025-10-03 | N/A | 8.2 HIGH |
| In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the txt parameter. | |||||
| CVE-2025-52040 | 1 Frappe | 1 Erpnext | 2025-10-03 | N/A | 8.2 HIGH |
| In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter. | |||||
| CVE-2025-52041 | 1 Frappe | 1 Erpnext | 2025-10-03 | N/A | 8.2 HIGH |
| In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the inventory_dimensions_dict parameter. | |||||
| CVE-2025-52042 | 1 Frappe | 1 Erpnext | 2025-10-03 | N/A | 8.2 HIGH |
| In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt parameter. | |||||
| CVE-2025-56380 | 1 Frappe | 2 Erpnext, Frappe | 2025-10-03 | N/A | 6.5 MEDIUM |
| Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter | |||||
| CVE-2025-56381 | 1 Frappe | 2 Erpnext, Frappe | 2025-10-03 | N/A | 6.5 MEDIUM |
| ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters. | |||||
| CVE-2025-52044 | 1 Frappe | 1 Erpnext | 2025-09-20 | N/A | 7.5 HIGH |
| In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into inventory_dimensions_dict parameter. | |||||
| CVE-2025-52048 | 1 Frappe | 1 Frappe | 2025-09-20 | N/A | 6.5 MEDIUM |
| In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the `dt` parameter. | |||||
| CVE-2025-55731 | 1 Frappe | 1 Frappe | 2025-08-22 | N/A | 8.8 HIGH |
| Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15. | |||||
| CVE-2025-55732 | 1 Frappe | 1 Frappe | 2025-08-22 | N/A | 7.5 HIGH |
| Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released for CVE-2025-52895. This vulnerability is fixed in 15.74.2 and 14.96.15. | |||||
| CVE-2024-34074 | 1 Frappe | 1 Frappe | 2025-08-04 | N/A | 6.1 MEDIUM |
| Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and 14.74.0. | |||||
| CVE-2025-30217 | 1 Frappe | 1 Frappe | 2025-08-01 | N/A | 7.5 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for the issue. No known workarounds are available. | |||||
| CVE-2025-30212 | 1 Frappe | 1 Frappe | 2025-08-01 | N/A | 7.5 HIGH |
| Frappe is a full-stack web application framework. An SQL Injection vulnerability has been identified in Frappe Framework prior to versions 14.89.0 and 15.51.0 which could allow a malicious actor to access sensitive information. Versions 14.89.0 and 15.51.0 fix the issue. Upgrading is required; no other workaround is present. | |||||