VYPR
Vypr IntelligenceAI-generatedJun 12, 2026· 11 CVEs

Frappe: 11 Medium-Severity CVEs Disclosed in a Single Day — XSS, SQLi, IDOR, and Access-Control Bugs

Frappe disclosed 11 medium-severity vulnerabilities in one hour on June 12, including stored XSS, SQL injection, IDOR, and broken access controls affecting versions prior to 15.106.0–15.107.2 and 16.16.0–16.17.4.

Key findings

  • 11 medium-severity CVEs disclosed together on June 12, 2026 spanning XSS, SQLi, IDOR, file access, and schema enumeration
  • Stored XSS accounts for the largest subgroup: three CVEs in Report/List View, Note module, and user profile images
  • One SQL injection (CVE-2026-41581) is reachable via the get_blog_list endpoint
  • Several authorization bugs allow authenticated users to access other users' email config, private files, and onboarding records
  • Fixes spread across versions 15.106.0–15.107.2 and 16.16.0–16.17.4 depending on the CVE

Frappe, the open-source ERP/CRM framework, disclosed 11 medium-severity vulnerabilities on June 12, 2026, spanning stored XSS, SQL injection, IDOR, unauthorized file access, and privilege escalation flaws. The batch — published across just one hour in coordinated advisories — affects all versions of Frappe prior to the respective patches in versions 15.106.0–15.107.2 and 16.16.0–16.17.4, depending on the individual CVE.

The largest cluster involves stored cross-site scripting (XSS). CVE-2026-53568 allows stored XSS through the Report/List View component, while CVE-2026-47739 exposes stored XSS in the Note module due to insufficient input sanitization. A third stored XSS bug, CVE-2026-44205, targets the user profile image section, enabling an attacker to execute arbitrary JavaScript in the browsers of other users. All three require an authenticated user to inject the payload, but once stored, the script fires for any visitor viewing the affected page.

CVE-2026-41581 stands out as the single SQL injection in the batch — it is reachable via the get_blog_list endpoint and, like the XSS bugs, requires an authenticated session to trigger. Although only one SQLi CVE landed, its presence in a framework that handles sensitive ERP and CRM data raises the potential for database extraction under the right conditions.

Several authorization and access-control bugs round out the batch. CVE-2026-50026 and CVE-2026-44208 both involve missing permission checks — the former in unspecified endpoints, the latter in the submit_discussion() endpoint — allowing an authenticated user to access resources they should not be able to reach. CVE-2026-44207 is an Insecure Direct Object Reference (IDOR) vulnerability that lets authenticated users read other users' email configuration details. CVE-2026-47182 permits any authenticated user to access private files by simply guessing the file path, with no ownership or permission check.

Two flaws target the onboarding subsystem. CVE-2026-44976 allows any user to modify any field in any Onboarding Step record, while CVE-2026-44975 lets any authenticated user reset the onboarding progress for all users on the system — a low-severity but disruptive privilege-escalation issue.

Finally, CVE-2026-44206 is an information-disclosure bug that allows an attacker to enumerate the database schema through an exposed endpoint, aiding further reconnaissance.

Frappe has released fixed versions across the affected branches. For Frappe v15, the fixes roll up into versions 15.106.0 (which patches CVE-2026-47739, CVE-2026-44205, and CVE-2026-41581), 15.107.0 (which patches CVE-2026-50026, CVE-2026-44208, and CVE-2026-44207), and 15.107.2 (which patches CVE-2026-53568, CVE-2026-47182, CVE-2026-44976, CVE-2026-44975, and CVE-2026-44206). For Frappe v16, versions 16.16.0 and 16.17.0/16.17.4 follow the same patching pattern. Users running any version older than these patch releases should upgrade to the applicable latest build on their branch.

With 11 medium-severity vulnerabilities disclosed in a single hour, the June 12 batch is a reminder of the attack surface that accumulates in extensible frameworks like Frappe. Although none of these CVEs carry a critical or high severity label, their variety — from stored XSS to SQLi to IDOR — means that an authenticated attacker with modest privileges could chain several of them for more serious impact. Frappe administrators should prioritize upgrading to the patched versions listed above, especially on instances that allow external user registration or host sensitive customer data.

AI-written article. Grounded in 11 CVE records listed below.