Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

frappe — Vulnerabilities & Security Advisories 77

Browse all 77 CVE security advisories affecting frappe. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Frappe is an open-source web framework primarily utilized for building enterprise resource planning (ERP) applications, most notably through its flagship product, ERPNext. With seventy recorded Common Vulnerabilities and Exposures, the platform has faced significant scrutiny regarding its security posture. Historically, the most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL injection, often stemming from insufficient input validation or improper access controls within custom modules. Privilege escalation flaws have also been documented, allowing unauthorized users to gain elevated permissions. While the core framework itself receives regular updates, the extensive ecosystem of third-party apps introduces variability in security hygiene. Major incidents have largely involved misconfigurations or exploited bugs in specific integrations rather than fundamental architectural failures, highlighting the critical importance of rigorous patch management and secure coding practices for developers extending the Frappe platform.

Top products by frappe: frappe lms erpnext press hrms frappe/lms Frappe CRM Frappe HelpDesk crm
CVE IDTitleCVSSSeverityPublished
CVE-2025-30217 Frappe has possibility of SQL injection due to improper validations — frappeCWE-89 7.5AIHighAI2025-03-26
CVE-2025-30214 Frappe vulnerable to information disclosure leading to account takeover — frappeCWE-200 8.1AIHighAI2025-03-25
CVE-2025-30213 Frappe has Possibility of Remote Code Execution due to improper validation — frappeCWE-20 8.8AIHighAI2025-03-25
CVE-2025-30212 Frappe has possibility of SQL injection due to improper validations — frappeCWE-89 7.5AIHighAI2025-03-25
CVE-2024-50356 Press has a potential 2FA bypass — pressCWE-640--2024-10-31
CVE-2024-49751 Frappe Press possible HTML injection through SaaS Signup inputs — pressCWE-79 5.4AIMediumAI2024-10-23
CVE-2024-34074 Frappe vuilnerable to an open redirect on login page — frappeCWE-601 6.1 Medium2024-05-09
CVE-2024-27105 Frappe File Permissions can by bypassed using certain endpoints — frappeCWE-863 8.1 High2024-03-20
CVE-2024-24813 Frappe SQL Injection from reporting logic — frappeCWE-89 7.5 High2024-03-20
CVE-2024-24812 Frappe Authenticated Reflected Cross site scripting (XSS) in portal pages — frappeCWE-79 5.4 Medium2024-02-07
CVE-2023-46127 Frappe vulnerable to HTML injection by any Desk user — frappeCWE-79 5.4 Medium2023-10-23
CVE-2023-5555 Cross-site Scripting (XSS) - Generic in frappe/lms — frappe/lmsCWE-79 6.1 -2023-10-12
CVE-2023-42807 Frappe LMS SQL Injection Issue on People Page — lmsCWE-89 6.3 Medium2023-09-21
CVE-2023-41328 Possibility limited SQL injection due to insufficient validation in Frappe — frappeCWE-89 4.2 Medium2023-09-06
CVE-2022-23055 ERPNext - Improper user access conrol — frappeCWE-862 8.1 -2022-06-22
CVE-2022-23058 ERPNext - Stored XSS in My Settings — frappeCWE-79 5.4 -2022-06-22
CVE-2022-23057 ERPNext - Stored XSS in My Profile — frappeCWE-79 5.4 -2022-06-22

This page lists every published CVE security advisory associated with frappe. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.