VYPR

Vendor CVEs

Frappe

All CVEs

198 total · sorted by risk
  • CVE-2026-33703MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by…

  • CVE-2026-42840MedJun 3, 2026
    risk 0.33cvss epss 0.00

    An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0.

  • CVE-2026-44441MedMay 13, 2026
    risk 0.33cvss 5.0epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in…

  • CVE-2026-41430MedApr 24, 2026
    risk 0.33cvss 6.1epss 0.00

    Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue…

  • CVE-2026-34606MedApr 2, 2026
    risk 0.33cvss 6.1epss 0.00

    Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.

  • CVE-2025-11281MedOct 5, 2025
    risk 0.33cvss 5.0epss 0.00

    A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is…

  • CVE-2026-42839MedJun 3, 2026
    risk 0.31cvss epss 0.00

    An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a…

  • CVE-2026-44448MedMay 13, 2026
    risk 0.31cvss 5.9epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 15.102.0 and 16.11.0.

  • CVE-2026-3837MedApr 22, 2026
    risk 0.28cvss 5.4epss 0.00

    An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element…

  • CVE-2026-34161MedApr 14, 2026
    risk 0.28cvss 5.4epss 0.00

    Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing…

  • CVE-2026-47182MedJun 12, 2026
    risk 0.27cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.

  • CVE-2026-44976MedJun 12, 2026
    risk 0.27cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.

  • CVE-2026-44975MedJun 12, 2026
    risk 0.27cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4.

  • CVE-2026-33737MedApr 10, 2026
    risk 0.27cvss 5.3epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

  • CVE-2026-33705MedApr 10, 2026
    risk 0.27cvss 5.3epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs,…

  • CVE-2025-11280LowOct 5, 2025
    risk 0.24cvss 3.7epss 0.00

    A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The…

  • CVE-2026-39415MedApr 8, 2026
    risk 0.21cvss 4.3epss 0.00

    Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on…

  • CVE-2025-11283LowOct 5, 2025
    risk 0.16cvss 2.4epss 0.00

    A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly…

  • CVE-2025-11282LowOct 5, 2025
    risk 0.16cvss 2.4epss 0.00

    A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made…

  • CVE-2025-59421LowSep 18, 2025
    risk 0.11cvss epss 0.00

    Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). A bad actor can flood the inbox of a user by repeatedly sending invites (duplicate). The issue is fixed in commit…

  • CVE-2013-3214Jan 28, 2020
    risk 0.10cvss epss 0.85

    vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.

  • CVE-2013-3591Feb 7, 2020
    risk 0.09cvss epss 0.43

    vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability

  • CVE-2013-3215Jan 29, 2020
    risk 0.09cvss epss 0.69

    vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.

  • CVE-2026-46546LowJun 10, 2026
    risk 0.07cvss epss 0.00

    Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors'…

  • CVE-2013-3212Jan 28, 2020
    risk 0.05cvss epss 0.08

    vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.

  • CVE-2019-5009Jan 4, 2019
    risk 0.04cvss epss 0.10

    Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a…

  • CVE-2025-28062May 5, 2025
    risk 0.03cvss epss 0.01

    A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.

  • CVE-2023-46127Oct 23, 2023
    risk 0.03cvss epss 0.37

    Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been…

  • CVE-2022-28598Aug 22, 2022
    risk 0.03cvss epss 0.05

    Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • CVE-2005-3819Nov 26, 2005
    risk 0.03cvss epss 0.03

    Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module.

  • CVE-2024-49751LowOct 23, 2024
    risk 0.01cvss epss 0.00

    Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Prior to commit 5d118a902872d7941f099ad1fb918e2421e79ccd, a user could inject HTML through SaaS signup inputs. The user who injected the unsafe…

  • CVE-2026-50712Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.ui.Tree component

  • CVE-2026-50711Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component.

  • CVE-2026-50710Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component.

  • CVE-2026-50709Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications > Events panel.

  • CVE-2026-50708Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component.

  • CVE-2026-50705Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.

  • CVE-2026-50704Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer.

  • CVE-2026-50703Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer.

  • CVE-2026-50701Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.

  • CVE-2026-50700Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function.

  • CVE-2026-50699Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users…

  • CVE-2026-50698Jun 24, 2026
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component.

  • CVE-2026-32954Mar 20, 2026
    risk 0.00cvss epss 0.00

    ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database…

  • CVE-2026-30882Mar 16, 2026
    risk 0.00cvss epss 0.00

    Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without any…

  • CVE-2026-30881Mar 16, 2026
    risk 0.00cvss epss 0.00

    Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although…

  • CVE-2026-31879Mar 11, 2026
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This…

  • CVE-2026-31878Mar 11, 2026
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1,…

  • CVE-2026-31877Mar 11, 2026
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in…

  • CVE-2026-29041Mar 6, 2026
    risk 0.00cvss epss 0.01

    Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads…