Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

frappe — Vulnerabilities & Security Advisories 70

Browse all 70 CVE security advisories affecting frappe. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Frappe is an open-source web framework primarily utilized for building enterprise resource planning (ERP) applications, most notably through its flagship product, ERPNext. With seventy recorded Common Vulnerabilities and Exposures, the platform has faced significant scrutiny regarding its security posture. Historically, the most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL injection, often stemming from insufficient input validation or improper access controls within custom modules. Privilege escalation flaws have also been documented, allowing unauthorized users to gain elevated permissions. While the core framework itself receives regular updates, the extensive ecosystem of third-party apps introduces variability in security hygiene. Major incidents have largely involved misconfigurations or exploited bugs in specific integrations rather than fundamental architectural failures, highlighting the critical importance of rigorous patch management and secure coding practices for developers extending the Frappe platform.

Top products by frappe: frappe lms press erpnext hrms frappe/lms Frappe CRM Frappe HelpDesk crm
CVE IDTitleCVSSSeverityPublished
CVE-2025-66206 Frappe vulnerable to a path traversal allowing reading certain files — frappeCWE-22 6.8 Medium2025-12-01
CVE-2025-66205 Frappe has the possibility of SQL Injection due to improper validations — frappeCWE-89 7.1 High2025-12-01
CVE-2025-11461 Frappe CRM 1.53.1 — Multiple SQL Injections in Dashboard Controller — Frappe CRMCWE-89 8.8AIHighAI2025-11-26
CVE-2025-64707 Frappe LMS revoking access did not show immediate effect as roles were cached — lmsCWE-863 6.3 -2025-11-12
CVE-2025-64705 Frappe user was able to access the submission of other students — lmsCWE-200 4.6 -2025-11-12
CVE-2025-62779 Frappe Learning users were able to add HTML through input fields in the Job Form — lmsCWE-79 5.4AIMediumAI2025-10-27
CVE-2025-62778 Frappe Learning allowed students to access the Quiz Form via direct URL — lmsCWE-425 5.3AIMediumAI2025-10-27
CVE-2025-62407 Frappe has an Open Redirect on Login Page — frappeCWE-601 6.1 Medium2025-10-16
CVE-2025-62158 Frappe had attachments made by students to their assignments of type Text set to public — lmsCWE-200 7.5AIHighAI2025-10-10
CVE-2025-11283 Frappe LMS Course cross site scripting — LMSCWE-79 2.4 Low2025-10-05
CVE-2025-11282 Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting — LMSCWE-79 2.4 Low2025-10-05
CVE-2025-11281 Frappe LMS Unpublished Course courses access control — LMSCWE-284 5.0 Medium2025-10-05
CVE-2025-11280 Frappe LMS Assignment Picture files direct request — LMSCWE-425 3.7 Low2025-10-05
CVE-2025-59421 Press vulnerable to email flooding to users due to lack of validation and rate limits — pressCWE-770--AI2025-09-18
CVE-2025-59415 Frappe Learning vulnerable to Malicious Content upload via Profile bio field — lmsCWE-79 4.6 Medium2025-09-17
CVE-2025-58439 ERP: Possibility of SQL injection due to missing validation — erpnextCWE-89 8.1 High2025-09-06
CVE-2025-55732 Frappe has the possibility of SQL Injection due to improper validations — frappeCWE-89 7.5AIHighAI2025-08-20
CVE-2025-55731 Frappe has the possibility of Authenticated SQL Injection due to improper validations — frappeCWE-89 7.5AIHighAI2025-08-20
CVE-2025-55006 Frappe Learning Holds Potential for Malicious SVG Upload in Image Upload Feature — lmsCWE-20 4.3 Medium2025-08-09
CVE-2025-53545 Press has a potential 2FA bypass — pressCWE-287 9.8AICriticalAI2025-07-08
CVE-2025-52898 Frappe account takeover via password reset token leakage — frappeCWE-200 9.1AICriticalAI2025-06-30
CVE-2025-52896 Frappe authenticated XSS via data import — frappeCWE-79 5.4AIMediumAI2025-06-30
CVE-2025-52895 Frappe possibility of SQL injection due to improper validations — frappeCWE-89 7.5AIHighAI2025-06-30
CVE-2025-30217 Frappe has possibility of SQL injection due to improper validations — frappeCWE-89 7.5AIHighAI2025-03-26
CVE-2025-30214 Frappe vulnerable to information disclosure leading to account takeover — frappeCWE-200 8.1AIHighAI2025-03-25
CVE-2025-30213 Frappe has Possibility of Remote Code Execution due to improper validation — frappeCWE-20 8.8AIHighAI2025-03-25
CVE-2025-30212 Frappe has possibility of SQL injection due to improper validations — frappeCWE-89 7.5AIHighAI2025-03-25
CVE-2024-50356 Press has a potential 2FA bypass — pressCWE-640--2024-10-31
CVE-2024-49751 Frappe Press possible HTML injection through SaaS Signup inputs — pressCWE-79 5.4AIMediumAI2024-10-23
CVE-2024-34074 Frappe vuilnerable to an open redirect on login page — frappeCWE-601 6.1 Medium2024-05-09

This page lists every published CVE security advisory associated with frappe. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.