Filtered by vendor Frappe
Subscriptions
Filtered by product Frappe
Subscriptions
Total
31 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-56379 | 2 Erpnext, Frappe | 3 Erpnext, Erpnext, Frappe | 2025-10-03 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field. | ||||
| CVE-2025-56380 | 1 Frappe | 2 Erpnext, Frappe | 2025-10-03 | 6.5 Medium |
| Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter | ||||
| CVE-2025-56381 | 2 Erpnext, Frappe | 3 Erpnext, Erpnext, Frappe | 2025-10-03 | 6.5 Medium |
| ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters. | ||||
| CVE-2025-52048 | 1 Frappe | 1 Frappe | 2025-09-20 | 6.5 Medium |
| In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the `dt` parameter. | ||||
| CVE-2025-59421 | 1 Frappe | 2 Frappe, Press | 2025-09-19 | N/A |
| Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). A bad actor can flood the inbox of a user by repeatedly sending invites (duplicate). The issue is fixed in commit 83c3fc7676c5dbbe1fd5092d21d95a10c7b48615. | ||||
| CVE-2025-59415 | 1 Frappe | 2 Frappe, Frappe Lms | 2025-09-18 | 4.6 Medium |
| Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. | ||||
| CVE-2025-55731 | 1 Frappe | 1 Frappe | 2025-08-22 | 8.8 High |
| Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15. | ||||
| CVE-2025-55732 | 1 Frappe | 1 Frappe | 2025-08-22 | 7.5 High |
| Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released for CVE-2025-52895. This vulnerability is fixed in 15.74.2 and 14.96.15. | ||||
| CVE-2024-34074 | 1 Frappe | 1 Frappe | 2025-08-04 | 6.1 Medium |
| Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and 14.74.0. | ||||
| CVE-2025-30217 | 1 Frappe | 1 Frappe | 2025-08-01 | 7.5 High |
| Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for the issue. No known workarounds are available. | ||||
| CVE-2025-30212 | 1 Frappe | 1 Frappe | 2025-08-01 | 7.5 High |
| Frappe is a full-stack web application framework. An SQL Injection vulnerability has been identified in Frappe Framework prior to versions 14.89.0 and 15.51.0 which could allow a malicious actor to access sensitive information. Versions 14.89.0 and 15.51.0 fix the issue. Upgrading is required; no other workaround is present. | ||||
| CVE-2025-30213 | 1 Frappe | 1 Frappe | 2025-08-01 | 8.8 High |
| Frappe is a full-stack web application framework. Prior to versions 14.91.0 and 15.52.0, a system user was able to create certain documents in a specific way that could lead to remote code execution. Versions 14.9.1 and 15.52.0 contain a patch for the vulnerability. There's no workaround; an upgrade is required. | ||||
| CVE-2025-30214 | 1 Frappe | 1 Frappe | 2025-08-01 | 7.5 High |
| Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There's no workaround to fix this without upgrading. | ||||
| CVE-2024-27105 | 1 Frappe | 1 Frappe | 2025-07-31 | 8.1 High |
| Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available. | ||||
| CVE-2024-24813 | 1 Frappe | 1 Frappe | 2025-07-31 | 7.5 High |
| Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available. | ||||
| CVE-2025-52898 | 1 Frappe | 1 Frappe | 2025-07-08 | 8.8 High |
| Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users. | ||||
| CVE-2025-52895 | 1 Frappe | 1 Frappe | 2025-07-08 | 7.5 High |
| Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There are no workarounds for this issue other than upgrading. | ||||
| CVE-2025-52896 | 1 Frappe | 1 Frappe | 2025-07-08 | 5.4 Medium |
| Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading. | ||||
| CVE-2022-41712 | 1 Frappe | 1 Frappe | 2025-04-29 | 6.5 Medium |
| Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter. | ||||
| CVE-2017-1000120 | 1 Frappe | 1 Frappe | 2025-04-20 | N/A |
| [ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter. | ||||