Filtered by vendor Frappe
Subscribe
Total
41 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-34074 | 1 Frappe | 1 Frappe | 2025-08-04 | N/A | N/A |
| Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and 14.74.0. | |||||
| CVE-2025-30217 | 1 Frappe | 1 Frappe | 2025-08-01 | N/A | 7.5 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for the issue. No known workarounds are available. | |||||
| CVE-2025-30212 | 1 Frappe | 1 Frappe | 2025-08-01 | N/A | 7.5 HIGH |
| Frappe is a full-stack web application framework. An SQL Injection vulnerability has been identified in Frappe Framework prior to versions 14.89.0 and 15.51.0 which could allow a malicious actor to access sensitive information. Versions 14.89.0 and 15.51.0 fix the issue. Upgrading is required; no other workaround is present. | |||||
| CVE-2025-30213 | 1 Frappe | 1 Frappe | 2025-08-01 | N/A | 8.8 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 14.91.0 and 15.52.0, a system user was able to create certain documents in a specific way that could lead to remote code execution. Versions 14.9.1 and 15.52.0 contain a patch for the vulnerability. There's no workaround; an upgrade is required. | |||||
| CVE-2025-30214 | 1 Frappe | 1 Frappe | 2025-08-01 | N/A | 7.5 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There's no workaround to fix this without upgrading. | |||||
| CVE-2024-27105 | 1 Frappe | 1 Frappe | 2025-07-31 | N/A | 6.5 MEDIUM |
| Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available. | |||||
| CVE-2024-24813 | 1 Frappe | 1 Frappe | 2025-07-31 | N/A | 7.5 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available. | |||||
| CVE-2025-52898 | 1 Frappe | 1 Frappe | 2025-07-08 | N/A | 8.8 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users. | |||||
| CVE-2025-52896 | 1 Frappe | 1 Frappe | 2025-07-08 | N/A | 5.4 MEDIUM |
| Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading. | |||||
| CVE-2025-52895 | 1 Frappe | 1 Frappe | 2025-07-08 | N/A | 7.5 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There are no workarounds for this issue other than upgrading. | |||||
| CVE-2025-28062 | 1 Frappe | 1 Erpnext | 2025-06-17 | N/A | N/A |
| A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections. | |||||
| CVE-2022-41712 | 1 Frappe | 1 Frappe | 2025-04-29 | N/A | 6.5 MEDIUM |
| Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter. | |||||
| CVE-2024-24812 | 1 Frappe | 1 Frappe | 2024-02-14 | N/A | 5.4 MEDIUM |
| Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting (XSS) which can be used to inject malicious JS code if user clicks on a malicious link. This vulnerability has been patched in versions 14.59.0 and 15.5.0. No known workarounds are available. | |||||
| CVE-2022-3988 | 1 Frappe | 1 Frappe | 2023-11-07 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Frappe. It has been rated as problematic. Affected by this issue is some unknown functionality of the file frappe/templates/includes/navbar/navbar_search.html of the component Search. The manipulation of the argument q leads to cross site scripting. The attack may be launched remotely. The name of the patch is bfab7191543961c6cb77fe267063877c31b616ce. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-213560. | |||||
| CVE-2022-23055 | 1 Frappe | 1 Erpnext | 2023-11-07 | 5.5 MEDIUM | N/A |
| In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users. | |||||
| CVE-2022-23058 | 1 Frappe | 1 Erpnext | 2023-11-07 | 3.5 LOW | N/A |
| ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover. | |||||
| CVE-2022-23056 | 1 Frappe | 1 Erpnext | 2023-11-07 | 3.5 LOW | N/A |
| In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack. | |||||
| CVE-2022-23057 | 1 Frappe | 1 Erpnext | 2023-11-07 | 3.5 LOW | 5.4 MEDIUM |
| In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile. | |||||
| CVE-2023-46127 | 1 Frappe | 1 Frappe | 2023-10-31 | N/A | 5.4 MEDIUM |
| Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been patched in version 14.49.0. | |||||
| CVE-2023-5555 | 1 Frappe | 1 Frappe Lms | 2023-10-16 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Generic in GitHub repository frappe/lms prior to 5614a6203fb7d438be8e2b1e3030e4528d170ec4. | |||||