Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

frappe — Vulnerabilities & Security Advisories 70

Browse all 70 CVE security advisories affecting frappe. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Frappe is an open-source web framework primarily utilized for building enterprise resource planning (ERP) applications, most notably through its flagship product, ERPNext. With seventy recorded Common Vulnerabilities and Exposures, the platform has faced significant scrutiny regarding its security posture. Historically, the most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL injection, often stemming from insufficient input validation or improper access controls within custom modules. Privilege escalation flaws have also been documented, allowing unauthorized users to gain elevated permissions. While the core framework itself receives regular updates, the extensive ecosystem of third-party apps introduces variability in security hygiene. Major incidents have largely involved misconfigurations or exploited bugs in specific integrations rather than fundamental architectural failures, highlighting the critical importance of rigorous patch management and secure coding practices for developers extending the Frappe platform.

Found 34 results / 70Clear Filters
Top products by frappe: frappe lms press erpnext hrms frappe/lms Frappe CRM Frappe HelpDesk crm
CVE IDTitleCVSSSeverityPublished
CVE-2026-3837 Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters — FrappeCWE-79 5.4AIMediumAI2026-04-22
CVE-2026-3673 Frappe Framework 16.10.0 - Stored DOM XSS in Tag Pill Renderer — FrappeCWE-79 5.4AIMediumAI2026-04-22
CVE-2026-39351 Frappe allows unrestricted Doctype access via API exploit — frappeCWE-862 8.8AIHighAI2026-04-07
CVE-2026-35614 Frappe has a SQL injection in bulk_update — frappeCWE-89 8.8AIHighAI2026-04-07
CVE-2026-31879 Frappe Workspace modification and stored XSS due to improper resource ownership checks — frappeCWE-79 5.4AIMediumAI2026-03-11
CVE-2026-31878 Frappe: Possible SSRF by any authenticated user — frappeCWE-918 5.0 Medium2026-03-11
CVE-2026-31877 Frappe SQL Injection due to improper field sanitization — frappeCWE-89 7.5AIHighAI2026-03-11
CVE-2026-29081 Frappe: Possibility of SQL Injection due to improper fieldname sanitization — frappeCWE-89 6.5 Medium2026-03-05
CVE-2026-29077 Frappe: Broken Access Control in DocShare — frappeCWE-284 7.1 High2026-03-05
CVE-2026-28436 Frappe: Stored XSS in avatar_macro.html — frappeCWE-79 5.4 -2026-03-05
CVE-2026-25956 Frappe Affected by XSS and Open Redirect in Sign Up — frappeCWE-601 6.1 Medium2026-02-10
CVE-2025-68953 Certain Frappe requests are vulnerable to Path Traversal — frappeCWE-22 7.5 High2026-01-05
CVE-2025-68929 Frappe may be vulnerable remote code execution due to server-side template injection — frappeCWE-1336 9.1 Critical2025-12-29
CVE-2025-66206 Frappe vulnerable to a path traversal allowing reading certain files — frappeCWE-22 6.8 Medium2025-12-01
CVE-2025-66205 Frappe has the possibility of SQL Injection due to improper validations — frappeCWE-89 7.1 High2025-12-01
CVE-2025-62407 Frappe has an Open Redirect on Login Page — frappeCWE-601 6.1 Medium2025-10-16
CVE-2025-55732 Frappe has the possibility of SQL Injection due to improper validations — frappeCWE-89 7.5AIHighAI2025-08-20
CVE-2025-55731 Frappe has the possibility of Authenticated SQL Injection due to improper validations — frappeCWE-89 7.5AIHighAI2025-08-20
CVE-2025-52898 Frappe account takeover via password reset token leakage — frappeCWE-200 9.1AICriticalAI2025-06-30
CVE-2025-52896 Frappe authenticated XSS via data import — frappeCWE-79 5.4AIMediumAI2025-06-30
CVE-2025-52895 Frappe possibility of SQL injection due to improper validations — frappeCWE-89 7.5AIHighAI2025-06-30
CVE-2025-30217 Frappe has possibility of SQL injection due to improper validations — frappeCWE-89 7.5AIHighAI2025-03-26
CVE-2025-30214 Frappe vulnerable to information disclosure leading to account takeover — frappeCWE-200 8.1AIHighAI2025-03-25
CVE-2025-30213 Frappe has Possibility of Remote Code Execution due to improper validation — frappeCWE-20 8.8AIHighAI2025-03-25
CVE-2025-30212 Frappe has possibility of SQL injection due to improper validations — frappeCWE-89 7.5AIHighAI2025-03-25
CVE-2024-34074 Frappe vuilnerable to an open redirect on login page — frappeCWE-601 6.1 Medium2024-05-09
CVE-2024-27105 Frappe File Permissions can by bypassed using certain endpoints — frappeCWE-863 8.1 High2024-03-20
CVE-2024-24813 Frappe SQL Injection from reporting logic — frappeCWE-89 7.5 High2024-03-20
CVE-2024-24812 Frappe Authenticated Reflected Cross site scripting (XSS) in portal pages — frappeCWE-79 5.4 Medium2024-02-07
CVE-2023-46127 Frappe vulnerable to HTML injection by any Desk user — frappeCWE-79 5.4 Medium2023-10-23

This page lists every published CVE security advisory associated with frappe. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.