ReportizFlow
Filtered by vendor Frappe
Subscriptions
Total
117 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-41317 | 1 Frappe | 1 Press | 2026-04-28 | N/A |
| Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST. | ||||
| CVE-2026-41430 | 1 Frappe | 1 Press | 2026-04-28 | N/A |
| Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only. | ||||
| CVE-2026-40888 | 1 Frappe | 2 Frappe Hr, Hrms | 2026-04-27 | N/A |
| Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available. | ||||
| CVE-2026-40889 | 1 Frappe | 2 Frappe Hr, Hrms | 2026-04-27 | 6.5 Medium |
| Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available. | ||||
| CVE-2026-41320 | 1 Frappe | 2 Frappe Hr, Hrms | 2026-04-27 | 6.5 Medium |
| Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available. | ||||
| CVE-2026-3837 | 1 Frappe | 1 Frappe | 2026-04-27 | N/A |
| An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping This issue affects Frappe: 16.10.0. | ||||
| CVE-2026-3673 | 1 Frappe | 1 Frappe | 2026-04-23 | N/A |
| An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping. This issue affects Frappe: 16.10.10. | ||||
| CVE-2026-23497 | 1 Frappe | 3 Frappe, Frappe Lms, Learning | 2026-04-18 | 5.4 Medium |
| Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages. | ||||
| CVE-2026-25956 | 1 Frappe | 1 Frappe | 2026-04-18 | 6.1 Medium |
| Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user signs up. This vulnerability is fixed in 14.99.14 and 15.94.0. | ||||
| CVE-2026-27471 | 1 Frappe | 1 Erpnext | 2026-04-18 | 9.1 Critical |
| ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1. | ||||
| CVE-2026-26031 | 1 Frappe | 2 Frappe Lms, Learning | 2026-04-17 | 5.3 Medium |
| Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students (by email) in batches. This vulnerability is fixed in 2.44.0. | ||||
| CVE-2026-26977 | 1 Frappe | 2 Learning, Lms | 2026-04-17 | 5.3 Medium |
| Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release. | ||||
| CVE-2026-29077 | 1 Frappe | 1 Frappe | 2026-04-17 | 7.1 High |
| Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0. | ||||
| CVE-2026-28436 | 1 Frappe | 1 Frappe | 2026-04-16 | 7.2 High |
| Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0. | ||||
| CVE-2026-29081 | 1 Frappe | 1 Frappe | 2026-04-16 | 6.5 Medium |
| Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0. | ||||
| CVE-2026-31017 | 1 Frappe | 3 Erpnext, Framework, Frappe | 2026-04-15 | 9.1 Critical |
| A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure. | ||||
| CVE-2025-59421 | 1 Frappe | 2 Frappe, Press | 2026-04-15 | N/A |
| Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). A bad actor can flood the inbox of a user by repeatedly sending invites (duplicate). The issue is fixed in commit 83c3fc7676c5dbbe1fd5092d21d95a10c7b48615. | ||||
| CVE-2026-35614 | 1 Frappe | 1 Frappe | 2026-04-14 | 9.8 Critical |
| Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This vulnerability is fixed in 16.14.0 and 15.104.0. | ||||
| CVE-2025-10655 | 1 Frappe | 2 Frappe Helpdesk, Helpdesk | 2026-04-14 | 8.8 High |
| SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0. | ||||
| CVE-2026-39351 | 1 Frappe | 1 Frappe | 2026-04-13 | 9.1 Critical |
| Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit. | ||||