VYPR

Frappe Framework

by Frappe

Source repositories

CVEs (10)

  • CVE-2026-50710Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component.

  • CVE-2026-50705Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.

  • CVE-2026-50703Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer.

  • CVE-2026-50699Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users…

  • CVE-2026-50698Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component.

  • CVE-2025-67289Dec 22, 2025
    risk 0.00cvss epss 0.00

    An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.

  • CVE-2025-65267Dec 3, 2025
    risk 0.00cvss epss 0.00

    In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting…

  • CVE-2025-56380Oct 2, 2025
    risk 0.00cvss epss 0.00

    Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter

  • CVE-2019-14967MedAug 12, 2019
    risk 0.00cvss 6.1epss 0.01

    An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability.

  • CVE-2019-14965CriAug 12, 2019
    risk 0.00cvss 9.8epss 0.03

    An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists.