Frappe ERPNext 15.67.0

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:frappe:erpnext:15.67.0:*:*:*:*:*:*:*

part: a version: 15.67.0 update: *

VendorFrappe (a51f8b94-1fb6-5e30-97d7-fbeb544c71ba)
ProductErpnext (bd490dec-a7c0-525e-8fd2-591f39522182)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from NVD CPE 2.0 feed

PURL mappings

PURLSourceLast updated
pkg:github/frappe/erpnext purl2cpe 2026-06-01 10:17:00.630048
pkg:sourceforge/erpnext.mirror purl2cpe 2026-06-01 10:17:00.630049

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-56381 vulnerable 2026-06-08 07:33:15.594712 Details available
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.
Published: 2025-10-02T00:00:00.000Z
Updated: 2025-10-02T18:09:21.859Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-56380 vulnerable 2026-06-08 07:33:15.594280 Details available
Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter
Published: 2025-10-02T00:00:00.000Z
Updated: 2025-10-02T18:06:15.422Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-56379 vulnerable 2026-06-08 07:33:15.593031 Details available
A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field.
Published: 2025-10-02T00:00:00.000Z
Updated: 2025-10-03T19:08:57.732Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.