Browse all 70 CVE security advisories affecting Frappe. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Frappe is an open-source web framework primarily utilized for building enterprise resource planning (ERP) applications, most notably through its flagship product, ERPNext. With seventy recorded Common Vulnerabilities and Exposures, the platform has faced significant scrutiny regarding its security posture. Historically, the most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL injection, often stemming from insufficient input validation or improper access controls within custom modules. Privilege escalation flaws have also been documented, allowing unauthorized users to gain elevated permissions. While the core framework itself receives regular updates, the extensive ecosystem of third-party apps introduces variability in security hygiene. Major incidents have largely involved misconfigurations or exploited bugs in specific integrations rather than fundamental architectural failures, highlighting the critical importance of rigorous patch management and secure coding practices for developers extending the Frappe platform.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-32954 | ERP has a possibility SQL Injection vulnerability due to missing validation — erpnextCWE-89 | 7.1 | High | 2026-03-20 |
| CVE-2026-27471 | ERP: Document access through endpoints due to missing validation — erpnextCWE-862 | 4.3AI | MediumAI | 2026-02-21 |
| CVE-2025-58439 | ERP: Possibility of SQL injection due to missing validation — erpnextCWE-89 | 8.1 | High | 2025-09-06 |
This page lists every published CVE security advisory associated with Frappe. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.