Frappe Framework
by Frappe
Source repositories
CVEs (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-50710 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component. | |||
| CVE-2026-50705 | 0.00 | — | 0.00 | Jun 24, 2026 | A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer. | |||
| CVE-2026-50703 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer. | |||
| CVE-2026-50699 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users… | |||
| CVE-2026-50698 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component. | |||
| CVE-2025-67289 | 0.00 | — | 0.00 | Dec 22, 2025 | An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file. | |||
| CVE-2025-65267 | 0.00 | — | 0.00 | Dec 3, 2025 | In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting… | |||
| CVE-2025-56380 | 0.00 | — | 0.00 | Oct 2, 2025 | Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter | |||
| CVE-2019-14967 | Med | 0.00 | 6.1 | 0.01 | Aug 12, 2019 | An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability. | ||
| CVE-2019-14965 | Cri | 0.00 | 9.8 | 0.03 | Aug 12, 2019 | An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists. |
- CVE-2026-50710Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component.
- CVE-2026-50705Jun 24, 2026risk 0.00cvss —epss 0.00
A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.
- CVE-2026-50703Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer.
- CVE-2026-50699Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users…
- CVE-2026-50698Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component.
- CVE-2025-67289Dec 22, 2025risk 0.00cvss —epss 0.00
An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.
- CVE-2025-65267Dec 3, 2025risk 0.00cvss —epss 0.00
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting…
- CVE-2025-56380Oct 2, 2025risk 0.00cvss —epss 0.00
Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter
- risk 0.00cvss 6.1epss 0.01
An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability.
- risk 0.00cvss 9.8epss 0.03
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists.