Vendor CVEs
Frappe
All CVEs
198 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-33703 | Med | 0.35 | 6.5 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by… | ||
| CVE-2026-42840 | Med | 0.33 | — | 0.00 | Jun 3, 2026 | An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0. | ||
| CVE-2026-44441 | Med | 0.33 | 5.0 | 0.00 | May 13, 2026 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in… | ||
| CVE-2026-41430 | Med | 0.33 | 6.1 | 0.00 | Apr 24, 2026 | Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue… | ||
| CVE-2026-34606 | Med | 0.33 | 6.1 | 0.00 | Apr 2, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0. | ||
| CVE-2025-11281 | Med | 0.33 | 5.0 | 0.00 | Oct 5, 2025 | A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is… | ||
| CVE-2026-42839 | Med | 0.31 | — | 0.00 | Jun 3, 2026 | An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a… | ||
| CVE-2026-44448 | Med | 0.31 | 5.9 | 0.00 | May 13, 2026 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 15.102.0 and 16.11.0. | ||
| CVE-2026-3837 | Med | 0.28 | 5.4 | 0.00 | Apr 22, 2026 | An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element… | ||
| CVE-2026-34161 | Med | 0.28 | 5.4 | 0.00 | Apr 14, 2026 | Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing… | ||
| CVE-2026-47182 | Med | 0.27 | — | 0.00 | Jun 12, 2026 | Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4. | ||
| CVE-2026-44976 | Med | 0.27 | — | 0.00 | Jun 12, 2026 | Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4. | ||
| CVE-2026-44975 | Med | 0.27 | — | 0.00 | Jun 12, 2026 | Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4. | ||
| CVE-2026-33737 | Med | 0.27 | 5.3 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | ||
| CVE-2026-33705 | Med | 0.27 | 5.3 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs,… | ||
| CVE-2025-11280 | Low | 0.24 | 3.7 | 0.00 | Oct 5, 2025 | A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The… | ||
| CVE-2026-39415 | Med | 0.21 | 4.3 | 0.00 | Apr 8, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on… | ||
| CVE-2025-11283 | Low | 0.16 | 2.4 | 0.00 | Oct 5, 2025 | A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly… | ||
| CVE-2025-11282 | Low | 0.16 | 2.4 | 0.00 | Oct 5, 2025 | A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made… | ||
| CVE-2025-59421 | Low | 0.11 | — | 0.00 | Sep 18, 2025 | Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). A bad actor can flood the inbox of a user by repeatedly sending invites (duplicate). The issue is fixed in commit… | ||
| CVE-2013-3214 | 0.10 | — | 0.85 | Jan 28, 2020 | vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. | |||
| CVE-2013-3591 | 0.09 | — | 0.43 | Feb 7, 2020 | vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability | |||
| CVE-2013-3215 | 0.09 | — | 0.69 | Jan 29, 2020 | vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function. | |||
| CVE-2026-46546 | Low | 0.07 | — | 0.00 | Jun 10, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors'… | ||
| CVE-2013-3212 | 0.05 | — | 0.08 | Jan 28, 2020 | vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code. | |||
| CVE-2019-5009 | 0.04 | — | 0.10 | Jan 4, 2019 | Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a… | |||
| CVE-2025-28062 | 0.03 | — | 0.01 | May 5, 2025 | A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections. | |||
| CVE-2023-46127 | 0.03 | — | 0.37 | Oct 23, 2023 | Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been… | |||
| CVE-2022-28598 | 0.03 | — | 0.05 | Aug 22, 2022 | Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. | |||
| CVE-2005-3819 | 0.03 | — | 0.03 | Nov 26, 2005 | Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module. | |||
| CVE-2024-49751 | Low | 0.01 | — | 0.00 | Oct 23, 2024 | Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Prior to commit 5d118a902872d7941f099ad1fb918e2421e79ccd, a user could inject HTML through SaaS signup inputs. The user who injected the unsafe… | ||
| CVE-2026-50712 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.ui.Tree component | |||
| CVE-2026-50711 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component. | |||
| CVE-2026-50710 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component. | |||
| CVE-2026-50709 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications > Events panel. | |||
| CVE-2026-50708 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component. | |||
| CVE-2026-50705 | 0.00 | — | 0.00 | Jun 24, 2026 | A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer. | |||
| CVE-2026-50704 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer. | |||
| CVE-2026-50703 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer. | |||
| CVE-2026-50701 | 0.00 | — | 0.00 | Jun 24, 2026 | A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component. | |||
| CVE-2026-50700 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function. | |||
| CVE-2026-50699 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users… | |||
| CVE-2026-50698 | 0.00 | — | 0.00 | Jun 24, 2026 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component. | |||
| CVE-2026-32954 | 0.00 | — | 0.00 | Mar 20, 2026 | ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database… | |||
| CVE-2026-30882 | 0.00 | — | 0.00 | Mar 16, 2026 | Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without any… | |||
| CVE-2026-30881 | 0.00 | — | 0.00 | Mar 16, 2026 | Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although… | |||
| CVE-2026-31879 | 0.00 | — | 0.00 | Mar 11, 2026 | Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This… | |||
| CVE-2026-31878 | 0.00 | — | 0.00 | Mar 11, 2026 | Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1,… | |||
| CVE-2026-31877 | 0.00 | — | 0.00 | Mar 11, 2026 | Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in… | |||
| CVE-2026-29041 | 0.00 | — | 0.01 | Mar 6, 2026 | Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads… |
- risk 0.35cvss 6.5epss 0.00
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by…
- risk 0.33cvss —epss 0.00
An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0.
- risk 0.33cvss 5.0epss 0.00
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in…
- risk 0.33cvss 6.1epss 0.00
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue…
- risk 0.33cvss 6.1epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.
- risk 0.33cvss 5.0epss 0.00
A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is…
- risk 0.31cvss —epss 0.00
An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a…
- risk 0.31cvss 5.9epss 0.00
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 15.102.0 and 16.11.0.
- risk 0.28cvss 5.4epss 0.00
An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element…
- risk 0.28cvss 5.4epss 0.00
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing…
- risk 0.27cvss —epss 0.00
Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.
- risk 0.27cvss —epss 0.00
Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.
- risk 0.27cvss —epss 0.00
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4.
- risk 0.27cvss 5.3epss 0.00
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
- risk 0.27cvss 5.3epss 0.00
Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs,…
- risk 0.24cvss 3.7epss 0.00
A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The…
- risk 0.21cvss 4.3epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on…
- risk 0.16cvss 2.4epss 0.00
A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly…
- risk 0.16cvss 2.4epss 0.00
A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made…
- risk 0.11cvss —epss 0.00
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). A bad actor can flood the inbox of a user by repeatedly sending invites (duplicate). The issue is fixed in commit…
- CVE-2013-3214Jan 28, 2020risk 0.10cvss —epss 0.85
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.
- CVE-2013-3591Feb 7, 2020risk 0.09cvss —epss 0.43
vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability
- CVE-2013-3215Jan 29, 2020risk 0.09cvss —epss 0.69
vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.
- risk 0.07cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors'…
- CVE-2013-3212Jan 28, 2020risk 0.05cvss —epss 0.08
vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.
- CVE-2019-5009Jan 4, 2019risk 0.04cvss —epss 0.10
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a…
- CVE-2025-28062May 5, 2025risk 0.03cvss —epss 0.01
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.
- CVE-2023-46127Oct 23, 2023risk 0.03cvss —epss 0.37
Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been…
- CVE-2022-28598Aug 22, 2022risk 0.03cvss —epss 0.05
Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.
- CVE-2005-3819Nov 26, 2005risk 0.03cvss —epss 0.03
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module.
- risk 0.01cvss —epss 0.00
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Prior to commit 5d118a902872d7941f099ad1fb918e2421e79ccd, a user could inject HTML through SaaS signup inputs. The user who injected the unsafe…
- CVE-2026-50712Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.ui.Tree component
- CVE-2026-50711Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component.
- CVE-2026-50710Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component.
- CVE-2026-50709Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications > Events panel.
- CVE-2026-50708Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component.
- CVE-2026-50705Jun 24, 2026risk 0.00cvss —epss 0.00
A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.
- CVE-2026-50704Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer.
- CVE-2026-50703Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer.
- CVE-2026-50701Jun 24, 2026risk 0.00cvss —epss 0.00
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.
- CVE-2026-50700Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function.
- CVE-2026-50699Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users…
- CVE-2026-50698Jun 24, 2026risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component.
- CVE-2026-32954Mar 20, 2026risk 0.00cvss —epss 0.00
ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database…
- CVE-2026-30882Mar 16, 2026risk 0.00cvss —epss 0.00
Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without any…
- CVE-2026-30881Mar 16, 2026risk 0.00cvss —epss 0.00
Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although…
- CVE-2026-31879Mar 11, 2026risk 0.00cvss —epss 0.00
Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This…
- CVE-2026-31878Mar 11, 2026risk 0.00cvss —epss 0.00
Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1,…
- CVE-2026-31877Mar 11, 2026risk 0.00cvss —epss 0.00
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in…
- CVE-2026-29041Mar 6, 2026risk 0.00cvss —epss 0.01
Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads…
Page 2 of 4