VYPR

Vendor CVEs

Frappe

All CVEs

198 total · sorted by risk
  • CVE-2018-2380MedKEVMar 1, 2018
    risk 0.66cvss 6.6epss 0.29

    SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.

  • CVE-2024-34990CriJun 19, 2024
    risk 0.65cvss 10.0epss 0.01

    In the module "Help Desk - Customer Support Management System" (helpdesk) up to version 2.4.0 from FME Modules for PrestaShop, a customer can upload .php files. Methods `HelpdeskHelpdeskModuleFrontController::submitTicket()` and `HelpdeskHelpdeskModuleFrontController::replyTicket…

  • CVE-2026-38431CriMay 5, 2026
    risk 0.64cvss 9.8epss 0.00

    ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.

  • CVE-2026-31282CriApr 13, 2026
    risk 0.64cvss 9.8epss 0.00

    Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier…

  • CVE-2025-13542CriDec 2, 2025
    risk 0.64cvss 9.8epss 0.00

    The DesignThemes LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.4. This is due to the 'dtlms_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for…

  • CVE-2025-52833CriJul 4, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS lms allows SQL Injection.This issue affects LMS: from n/a through <= 9.2.

  • CVE-2026-31017CriApr 8, 2026
    risk 0.59cvss 9.1epss 0.00

    A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML…

  • CVE-2026-44442CriMay 13, 2026
    risk 0.57cvss 9.9epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1.

  • CVE-2023-54345HigMay 5, 2026
    risk 0.57cvss 8.8epss 0.01

    Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script…

  • CVE-2026-35614CriApr 7, 2026
    risk 0.57cvss 9.8epss 0.00

    Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This vulnerability is fixed in 16.14.0 and 15.104.0.

  • CVE-2025-10655HigDec 9, 2025
    risk 0.57cvss 8.8epss 0.00

    SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0.

  • CVE-2024-38992HigJul 1, 2024
    risk 0.57cvss 8.8epss 0.01

    airvertco frappejs v0.0.11 was discovered to contain a prototype pollution via the function registerView. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2018-3885HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The order_by parameter can be used to perform an SQL injection attack. An attacker can use a…

  • CVE-2018-3884HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The sort_by and start parameter can be used to perform an SQL injection attack. An attacker can…

  • CVE-2018-3883HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The employee and sort_order parameter can be used to perform an SQL injection attack. An attacker…

  • CVE-2018-3882HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The searchfield parameter can be used to perform an SQL injection attack. An attacker can use a…

  • CVE-2017-1000120HigOct 5, 2017
    risk 0.57cvss 8.8epss 0.01

    [ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter.

  • CVE-2026-39405CriMay 20, 2026
    risk 0.54cvss epss 0.00

    Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in…

  • CVE-2026-31281HigApr 13, 2026
    risk 0.52cvss 8.0epss 0.00

    Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's…

  • CVE-2026-39351CriApr 7, 2026
    risk 0.52cvss 9.1epss 0.00

    Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.

  • CVE-2026-39352HigMay 20, 2026
    risk 0.50cvss epss 0.01

    Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.

  • CVE-2026-44447HigMay 13, 2026
    risk 0.50cvss 8.8epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 16.9.0.

  • CVE-2026-44446HigMay 13, 2026
    risk 0.50cvss 8.8epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is…

  • CVE-2026-33715HigApr 14, 2026
    risk 0.47cvss 7.2epss 0.00

    Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that…

  • CVE-2026-28436HigMar 5, 2026
    risk 0.47cvss 7.2epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in…

  • CVE-2026-31941HigApr 10, 2026
    risk 0.43cvss 7.7epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main…

  • CVE-2018-11339MedMay 22, 2018
    risk 0.43cvss 6.1epss 0.04

    An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.

  • CVE-2026-45081MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.

  • CVE-2026-41317HigApr 24, 2026
    risk 0.42cvss 7.5epss 0.00

    Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method.…

  • CVE-2026-38432MedMay 5, 2026
    risk 0.40cvss 6.1epss 0.00

    ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied.

  • CVE-2026-34602HigApr 14, 2026
    risk 0.39cvss 7.1epss 0.00

    Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll…

  • CVE-2026-32930HigApr 10, 2026
    risk 0.39cvss 7.1epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations…

  • CVE-2026-32894HigApr 10, 2026
    risk 0.39cvss 7.1epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by…

  • CVE-2026-53568MedJun 12, 2026
    risk 0.38cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4.

  • CVE-2026-50026MedJun 12, 2026
    risk 0.38cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.

  • CVE-2026-44208MedJun 12, 2026
    risk 0.38cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.

  • CVE-2026-44207MedJun 12, 2026
    risk 0.38cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0.

  • CVE-2026-44206MedJun 12, 2026
    risk 0.38cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4.

  • CVE-2026-47739MedJun 12, 2026
    risk 0.38cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, stored XSS in Note was possible due to lack of sanitization. This issue has been patched in versions 15.106.0 and 16.16.0.

  • CVE-2026-44205MedJun 12, 2026
    risk 0.38cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0.

  • CVE-2026-41581MedJun 12, 2026
    risk 0.38cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, there is a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0.

  • CVE-2025-53545MedJul 8, 2025
    risk 0.38cvss epss 0.00

    Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Users can circumvent 2FA login for users due to a lack of server side validation for the same. This vulnerability is fixed in commit…

  • CVE-2026-44445MedMay 13, 2026
    risk 0.35cvss 6.5epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enables an authenticated attacker to read files from the local file system,…

  • CVE-2026-44440MedMay 13, 2026
    risk 0.35cvss 6.5epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability on an endpoint allows an authenticated adjacent attacker to read arbitrary files.…

  • CVE-2026-3673MedApr 22, 2026
    risk 0.35cvss 5.4epss 0.00

    An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping.…

  • CVE-2026-41320MedApr 21, 2026
    risk 0.35cvss 6.5epss 0.00

    Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to.…

  • CVE-2026-40889MedApr 21, 2026
    risk 0.35cvss 6.5epss 0.00

    Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.

  • CVE-2026-40888MedApr 21, 2026
    risk 0.35cvss 6.5epss 0.00

    Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known…

  • CVE-2026-34370MedApr 14, 2026
    risk 0.35cvss 6.5epss 0.00

    Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated student to read the private course notes of any other user on the…

  • CVE-2026-33708MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no…

Page 1 of 4