Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

frappe — Vulnerabilities & Security Advisories 70

Browse all 70 CVE security advisories affecting frappe. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Frappe is an open-source web framework primarily utilized for building enterprise resource planning (ERP) applications, most notably through its flagship product, ERPNext. With seventy recorded Common Vulnerabilities and Exposures, the platform has faced significant scrutiny regarding its security posture. Historically, the most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL injection, often stemming from insufficient input validation or improper access controls within custom modules. Privilege escalation flaws have also been documented, allowing unauthorized users to gain elevated permissions. While the core framework itself receives regular updates, the extensive ecosystem of third-party apps introduces variability in security hygiene. Major incidents have largely involved misconfigurations or exploited bugs in specific integrations rather than fundamental architectural failures, highlighting the critical importance of rigorous patch management and secure coding practices for developers extending the Frappe platform.

Top products by frappe: frappe lms press erpnext hrms frappe/lms Frappe CRM Frappe HelpDesk crm
CVE IDTitleCVSSSeverityPublished
CVE-2026-41430 Press vulnerable to reflected XSS on login redirection — pressCWE-79 6.1AIMediumAI2026-04-24
CVE-2026-41317 Frappe Press has an unsafe HTTP method / CSRF-adjacent issue on API secret generation — pressCWE-352 8.8AIHighAI2026-04-24
CVE-2026-3837 Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters — FrappeCWE-79 5.4AIMediumAI2026-04-22
CVE-2026-3673 Frappe Framework 16.10.0 - Stored DOM XSS in Tag Pill Renderer — FrappeCWE-79 5.4AIMediumAI2026-04-22
CVE-2026-41320 Frappe HR has possibility of SQL Injection due to improper field sanitization — hrmsCWE-89 6.5 Medium2026-04-21
CVE-2026-40889 Frappe HR has Improper Access Control on Files — hrmsCWE-284 6.5 Medium2026-04-21
CVE-2026-40888 Frappe HR vulnerable to Improper Access Control — hrmsCWE-284 6.5AIMediumAI2026-04-21
CVE-2026-39415 Frappe Learning Management System has Client-Side Manipulation of Quiz Scores — lmsCWE-602 7.1AIHighAI2026-04-08
CVE-2026-39351 Frappe allows unrestricted Doctype access via API exploit — frappeCWE-862 8.8AIHighAI2026-04-07
CVE-2026-35614 Frappe has a SQL injection in bulk_update — frappeCWE-89 8.8AIHighAI2026-04-07
CVE-2026-34606 Stored XSS in Frappe LMS — lmsCWE-79 5.4AIMediumAI2026-04-02
CVE-2026-32954 ERP has a possibility SQL Injection vulnerability due to missing validation — erpnextCWE-89 7.1 High2026-03-20
CVE-2026-31879 Frappe Workspace modification and stored XSS due to improper resource ownership checks — frappeCWE-79 5.4AIMediumAI2026-03-11
CVE-2026-31878 Frappe: Possible SSRF by any authenticated user — frappeCWE-918 5.0 Medium2026-03-11
CVE-2026-31877 Frappe SQL Injection due to improper field sanitization — frappeCWE-89 7.5AIHighAI2026-03-11
CVE-2026-29081 Frappe: Possibility of SQL Injection due to improper fieldname sanitization — frappeCWE-89 6.5 Medium2026-03-05
CVE-2026-29077 Frappe: Broken Access Control in DocShare — frappeCWE-284 7.1 High2026-03-05
CVE-2026-28436 Frappe: Stored XSS in avatar_macro.html — frappeCWE-79 5.4 -2026-03-05
CVE-2026-27471 ERP: Document access through endpoints due to missing validation — erpnextCWE-862 4.3AIMediumAI2026-02-21
CVE-2026-26977 Frappe Learning Management System exposes details of unpublished courses to unauthorized users — lmsCWE-862 4.3 -2026-02-20
CVE-2026-26031 Frappe LMS affected by unauthorised user was able to access the full list of batch enrolled students — lmsCWE-863 5.3AIMediumAI2026-02-11
CVE-2026-25956 Frappe Affected by XSS and Open Redirect in Sign Up — frappeCWE-601 6.1 Medium2026-02-10
CVE-2026-23497 Frappe LMS has a Stored XSS via Unsanitized Image Filename in Course and Jobs Pages — lmsCWE-79 5.4AIMediumAI2026-01-14
CVE-2025-68953 Certain Frappe requests are vulnerable to Path Traversal — frappeCWE-22 7.5 High2026-01-05
CVE-2025-68929 Frappe may be vulnerable remote code execution due to server-side template injection — frappeCWE-1336 9.1 Critical2025-12-29
CVE-2025-68928 Frappe CRM vulnerable to authenticated XSS via website field — crmCWE-79 5.4 Medium2025-12-29
CVE-2025-67734 Frappe Authenticated Users can Execute JavaScript through its Job Form — lmsCWE-79 5.4AIMediumAI2025-12-12
CVE-2025-67730 Frappe authenticated users can execute XSS through form description fields — lmsCWE-79 5.4AIMediumAI2025-12-12
CVE-2025-10655 Frappe Helpdesk 1.14.0 — SQL Injection in dashboard get_dashboard_data — Frappe HelpDeskCWE-89 8.8AIHighAI2025-12-09
CVE-2025-66581 Frappe LMS is Missing Server-Side Authorization in Business Logic — lmsCWE-863 8.8 -2025-12-05

This page lists every published CVE security advisory associated with frappe. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.