VYPR

Vendor CVEs

Frappe

All CVEs

198 total · sorted by risk
  • CVE-2025-58439Sep 6, 2025
    risk 0.00cvss epss 0.00

    ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation of parameters left certain endpoints vulnerable to error-based SQL Injection. Some information like version could be retrieved. This issue is…

  • CVE-2025-55732Aug 20, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released…

  • CVE-2025-55731Aug 20, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15.

  • CVE-2025-55006Aug 9, 2025
    risk 0.00cvss epss 0.00

    Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other potentially…

  • CVE-2025-52898Jun 30, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way.…

  • CVE-2025-52896Jun 30, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There…

  • CVE-2025-52895Jun 30, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3…

  • CVE-2025-30217Mar 26, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for…

  • CVE-2025-30214Mar 25, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There's no workaround to fix this…

  • CVE-2025-30213Mar 25, 2025
    risk 0.00cvss epss 0.01

    Frappe is a full-stack web application framework. Prior to versions 14.91.0 and 15.52.0, a system user was able to create certain documents in a specific way that could lead to remote code execution. Versions 14.9.1 and 15.52.0 contain a patch for the vulnerability. There's no…

  • CVE-2025-30212Mar 25, 2025
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework. An SQL Injection vulnerability has been identified in Frappe Framework prior to versions 14.89.0 and 15.51.0 which could allow a malicious actor to access sensitive information. Versions 14.89.0 and 15.51.0 fix the issue.…

  • CVE-2024-50356NonOct 31, 2024
    risk 0.00cvss 0.0epss 0.00

    Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). The password could be reset by anyone who have access to the mail inbox circumventing the 2FA. Even though they wouldn't be able to login by…

  • CVE-2024-34074May 9, 2024
    risk 0.00cvss epss 0.01

    Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and…

  • CVE-2024-27105Mar 20, 2024
    risk 0.00cvss epss 0.01

    Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No…

  • CVE-2024-24813Mar 20, 2024
    risk 0.00cvss epss 0.01

    Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue.…

  • CVE-2024-24812Feb 7, 2024
    risk 0.00cvss epss 0.00

    Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting (XSS) which can be used to inject malicious…

  • CVE-2023-5555Oct 12, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Generic in GitHub repository frappe/lms prior to 5614a6203fb7d438be8e2b1e3030e4528d170ec4.

  • CVE-2023-42807Sep 21, 2023
    risk 0.00cvss epss 0.00

    Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of the…

  • CVE-2023-38891Sep 14, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php.

  • CVE-2023-41328Sep 6, 2023
    risk 0.00cvss epss 0.00

    Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0.…

  • CVE-2023-27897Apr 11, 2023
    risk 0.00cvss epss 0.01

    In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be…

  • CVE-2022-41712Nov 25, 2022
    risk 0.00cvss epss 0.01

    Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter.

  • CVE-2022-3988Nov 14, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in Frappe. It has been rated as problematic. Affected by this issue is some unknown functionality of the file frappe/templates/includes/navbar/navbar_search.html of the component Search. The manipulation of the argument q leads to cross site scripting.…

  • CVE-2022-38335Sep 27, 2022
    risk 0.00cvss epss 0.01

    Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.

  • CVE-2022-23055Jun 22, 2022
    risk 0.00cvss epss 0.01

    In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker…

  • CVE-2022-23058Jun 22, 2022
    risk 0.00cvss epss 0.01

    ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.

  • CVE-2022-23056Jun 22, 2022
    risk 0.00cvss epss 0.01

    In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.

  • CVE-2022-23057Jun 22, 2022
    risk 0.00cvss epss 0.01

    In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.

  • CVE-2020-35175Dec 11, 2020
    risk 0.00cvss epss 0.01

    Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API.

  • CVE-2020-27508Dec 11, 2020
    risk 0.00cvss epss 0.01

    In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security.

  • CVE-2020-6145Aug 10, 2020
    risk 0.00cvss epss 0.02

    An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

  • CVE-2019-20521Mar 19, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.

  • CVE-2019-20520Mar 19, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.

  • CVE-2019-20519Mar 19, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.

  • CVE-2019-20518Mar 19, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.

  • CVE-2019-20517Mar 19, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.

  • CVE-2019-20514Mar 19, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.

  • CVE-2019-20511Mar 18, 2020
    risk 0.00cvss epss 0.01

    ERPNext 11.1.47 allows blog?blog_category= Frame Injection.

  • CVE-2019-20529Mar 18, 2020
    risk 0.00cvss epss 0.01

    In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files.

  • CVE-2019-15775Aug 29, 2019
    risk 0.00cvss epss 0.01

    The nd-learning plugin before 4.8 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.

  • CVE-2019-15700Aug 27, 2019
    risk 0.00cvss epss 0.01

    public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted "changed value of" text.

  • CVE-2019-14965Aug 12, 2019
    risk 0.00cvss epss 0.03

    An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists.

  • CVE-2019-14966Aug 12, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection.

  • CVE-2019-14967Aug 12, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability.

  • CVE-2018-20061Dec 11, 2018
    risk 0.00cvss epss 0.01

    A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a…

  • CVE-2006-4617Sep 7, 2006
    risk 0.00cvss epss 0.01

    Unrestricted file upload vulnerability in fileupload.html in vtiger CRM 4.2.4, and possibly earlier versions, allows remote attackers to upload and execute arbitrary files with executable extensions in the /cashe/mails folder.

  • CVE-2005-3822Nov 26, 2005
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts module.

  • CVE-2005-3821Nov 26, 2005
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account name.

Page 4 of 4