VYPR
Vendor

Frappe

Products
12
CVEs
198
Across products
222
Status
Private

Products

12

Recent CVEs

198
View all 198 CVEs →
  • CVE-2018-2380MedKEVMar 1, 2018
    risk 0.66cvss 6.6epss 0.29

    SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.

  • CVE-2024-34990CriJun 19, 2024
    risk 0.65cvss 10.0epss 0.01

    In the module "Help Desk - Customer Support Management System" (helpdesk) up to version 2.4.0 from FME Modules for PrestaShop, a customer can upload .php files. Methods `HelpdeskHelpdeskModuleFrontController::submitTicket()` and `HelpdeskHelpdeskModuleFrontController::replyTicket…

  • CVE-2026-38431CriMay 5, 2026
    risk 0.64cvss 9.8epss 0.00

    ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.

  • CVE-2026-31282CriApr 13, 2026
    risk 0.64cvss 9.8epss 0.00

    Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier…

  • CVE-2025-13542CriDec 2, 2025
    risk 0.64cvss 9.8epss 0.00

    The DesignThemes LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.4. This is due to the 'dtlms_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for…

  • CVE-2025-52833CriJul 4, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS lms allows SQL Injection.This issue affects LMS: from n/a through <= 9.2.

  • CVE-2026-31017CriApr 8, 2026
    risk 0.59cvss 9.1epss 0.00

    A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML…

  • CVE-2026-44442CriMay 13, 2026
    risk 0.57cvss 9.9epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1.

  • CVE-2023-54345HigMay 5, 2026
    risk 0.57cvss 8.8epss 0.01

    Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script…

  • CVE-2026-35614CriApr 7, 2026
    risk 0.57cvss 9.8epss 0.00

    Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This vulnerability is fixed in 16.14.0 and 15.104.0.

  • CVE-2025-10655HigDec 9, 2025
    risk 0.57cvss 8.8epss 0.00

    SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0.

  • CVE-2024-38992HigJul 1, 2024
    risk 0.57cvss 8.8epss 0.01

    airvertco frappejs v0.0.11 was discovered to contain a prototype pollution via the function registerView. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2018-3885HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The order_by parameter can be used to perform an SQL injection attack. An attacker can use a…

  • CVE-2018-3884HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The sort_by and start parameter can be used to perform an SQL injection attack. An attacker can…

  • CVE-2018-3883HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The employee and sort_order parameter can be used to perform an SQL injection attack. An attacker…

  • CVE-2018-3882HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The searchfield parameter can be used to perform an SQL injection attack. An attacker can use a…

  • CVE-2017-1000120HigOct 5, 2017
    risk 0.57cvss 8.8epss 0.01

    [ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter.

  • CVE-2026-39405CriMay 20, 2026
    risk 0.54cvss epss 0.00

    Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in…

  • CVE-2026-31281HigApr 13, 2026
    risk 0.52cvss 8.0epss 0.00

    Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's…

  • CVE-2026-39351CriApr 7, 2026
    risk 0.52cvss 9.1epss 0.00

    Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.