VYPR

Frappe

by Frappe

pypi: frappe

Source repositories

CVEs (65)

  • CVE-2025-11461Nov 26, 2025
    risk 0.00cvss epss 0.00

    Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.

  • CVE-2025-62407Oct 16, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to 14.98.0 and 15.83.0, an open redirect was possible through the redirect argument on the login page, if a specific type of URL was passed in. This vulnerability is fixed in 14.98.0 and 15.83.0.

  • CVE-2025-52048Sep 15, 2025
    risk 0.00cvss epss 0.00

    In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the `dt` parameter.

  • CVE-2025-55732Aug 20, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released…

  • CVE-2025-55731Aug 20, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15.

  • CVE-2025-52898Jun 30, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way.…

  • CVE-2025-52896Jun 30, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There…

  • CVE-2025-52895Jun 30, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3…

  • CVE-2025-30217Mar 26, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for…

  • CVE-2025-30214Mar 25, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There's no workaround to fix this…

  • CVE-2025-30213Mar 25, 2025
    risk 0.00cvss epss 0.01

    Frappe is a full-stack web application framework. Prior to versions 14.91.0 and 15.52.0, a system user was able to create certain documents in a specific way that could lead to remote code execution. Versions 14.9.1 and 15.52.0 contain a patch for the vulnerability. There's no…

  • CVE-2025-30212Mar 25, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. An SQL Injection vulnerability has been identified in Frappe Framework prior to versions 14.89.0 and 15.51.0 which could allow a malicious actor to access sensitive information. Versions 14.89.0 and 15.51.0 fix the issue.…

  • CVE-2024-34074May 9, 2024
    risk 0.00cvss epss 0.01

    Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and…

  • CVE-2024-27105Mar 20, 2024
    risk 0.00cvss epss 0.01

    Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No…

  • CVE-2024-24813Mar 20, 2024
    risk 0.00cvss epss 0.01

    Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue.…

  • CVE-2024-24812Feb 7, 2024
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting (XSS) which can be used to inject malicious…

  • CVE-2023-5555Oct 12, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Generic in GitHub repository frappe/lms prior to 5614a6203fb7d438be8e2b1e3030e4528d170ec4.

  • CVE-2023-41328Sep 6, 2023
    risk 0.00cvss epss 0.00

    Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0.…

  • CVE-2022-41712Nov 25, 2022
    risk 0.00cvss epss 0.01

    Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter.

  • CVE-2022-3988Nov 14, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in Frappe. It has been rated as problematic. Affected by this issue is some unknown functionality of the file frappe/templates/includes/navbar/navbar_search.html of the component Search. The manipulation of the argument q leads to cross site scripting.…