Filtered by vendor Frappe Subscriptions
Filtered by product Frappe Subscriptions
Total 80 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2026-58503 1 Frappe 1 Frappe 2026-07-10 N/A
Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the reset_password endpoint. This issue is fixed in versions 16.16.0 and 15.106.0.
CVE-2026-47422 1 Frappe 1 Frappe 2026-07-10 N/A
Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been fixed. This vulnerability is fixed in 15.107.5 and 16.18.2.
CVE-2026-47199 1 Frappe 1 Frappe 2026-07-10 N/A
Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, check_safe_sql_query permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites if database permissions are not well aligned and MySQL FILE privileges are available. This issue is fixed in versions 16.18.3 and 15.108.0.
CVE-2026-41482 1 Frappe 1 Frappe 2026-07-10 N/A
Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in the Chrome PDF Generator. This issue is fixed in version 16.18.3.
CVE-2026-48127 1 Frappe 1 Frappe 2026-07-10 N/A
Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API endpoints such as add_attachments. This issue is fixed in versions 16.20.0 and 15.110.0.
CVE-2026-49394 1 Frappe 1 Frappe 2026-07-10 N/A
Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0.
CVE-2026-42219 1 Frappe 1 Frappe 2026-07-10 N/A
Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via download_backups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0.
CVE-2026-55852 1 Frappe 1 Frappe 2026-07-10 N/A
Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0.
CVE-2026-44208 1 Frappe 1 Frappe 2026-06-13 N/A
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
CVE-2026-44976 1 Frappe 1 Frappe 2026-06-12 N/A
Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.
CVE-2026-50026 1 Frappe 1 Frappe 2026-06-12 N/A
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
CVE-2026-53568 1 Frappe 1 Frappe 2026-06-12 N/A
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4.
CVE-2026-44207 1 Frappe 1 Frappe 2026-06-12 N/A
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0.
CVE-2026-44975 1 Frappe 1 Frappe 2026-06-12 N/A
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4.
CVE-2026-47739 1 Frappe 1 Frappe 2026-06-12 N/A
Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, stored XSS in Note was possible due to lack of sanitization. This issue has been patched in versions 15.106.0 and 16.16.0.
CVE-2026-44206 1 Frappe 1 Frappe 2026-06-12 N/A
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4.
CVE-2026-47182 1 Frappe 1 Frappe 2026-06-12 N/A
Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.
CVE-2026-44205 1 Frappe 1 Frappe 2026-06-12 N/A
Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0.
CVE-2026-41581 1 Frappe 1 Frappe 2026-06-12 N/A
Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, there is a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0.
CVE-2026-39352 1 Frappe 1 Frappe 2026-05-21 N/A
Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.