Frappe

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping This issue affects Frappe: 16.10.0.

Published: 2026-04-22T19:52:56.248Z
Updated: 2026-04-27T17:37:35.899Z

An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping. This issue affects Frappe: 16.10.10.

Published: 2026-04-22T19:32:36.622Z
Updated: 2026-04-22T19:58:00.187Z

Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.

Published: 2026-05-20T19:27:01.543Z
Updated: 2026-05-21T14:25:31.245Z

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.

Published: 2026-04-07T18:52:01.531Z
Updated: 2026-04-09T16:10:37.051Z

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This vulnerability is fixed in 16.14.0 and 15.104.0.

Published: 2026-04-07T16:42:12.740Z
Updated: 2026-04-09T14:41:12.703Z

Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in 14.100.2, 15.101.0, and 16.10.0.

Published: 2026-03-11T18:34:18.375Z
Updated: 2026-03-11T19:30:30.761Z

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.

Published: 2026-03-11T18:32:04.397Z
Updated: 2026-03-11T19:54:06.626Z

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.

Published: 2026-03-11T18:28:35.596Z
Updated: 2026-03-12T20:07:46.367Z

Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0.

Published: 2026-03-05T20:23:13.490Z
Updated: 2026-03-06T17:02:00.462Z

Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0.

Published: 2026-03-05T20:22:09.612Z
Updated: 2026-03-06T17:02:25.318Z

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0.

Published: 2026-03-05T20:21:35.392Z
Updated: 2026-03-06T17:02:52.965Z

Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user signs up. This vulnerability is fixed in 14.99.14 and 15.94.0.

Published: 2026-02-10T17:39:20.430Z
Updated: 2026-02-10T19:27:58.893Z

Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. Arbitrary files from the server could be retrieved due to a lack of proper sanitization on some requests. This issue is fixed in versions 14.99.6 and 15.88.1. To workaround, changing the setup to use a reverse proxy is recommended.

Published: 2026-01-05T21:53:39.251Z
Updated: 2026-01-06T19:04:38.829Z

Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available.

Published: 2025-12-29T15:10:59.510Z
Updated: 2025-12-29T16:13:17.680Z

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, certain requests were vulnerable to path traversal attacks, wherein some files from the server could be retrieved if the full path was known. Sites hosted on Frappe Cloud, and even other setups that are behind a reverse proxy like NGINX are unaffected. This would mainly affect someone directly using werkzeug/gunicorn. In those cases, either an upgrade or changing the setup to use a reverse proxy is recommended. This vulnerability is fixed in 15.86.0 and 14.99.2.

Published: 2025-12-01T20:29:07.386Z
Updated: 2025-12-01T20:37:05.162Z

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2.

Published: 2025-12-01T20:26:14.459Z
Updated: 2025-12-01T21:19:52.208Z

Frappe is a full-stack web application framework. Prior to 14.98.0 and 15.83.0, an open redirect was possible through the redirect argument on the login page, if a specific type of URL was passed in. This vulnerability is fixed in 14.98.0 and 15.83.0.

Published: 2025-10-16T17:39:32.903Z
Updated: 2025-10-16T19:22:52.498Z

Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released for CVE-2025-52895. This vulnerability is fixed in 15.74.2 and 14.96.15.

Published: 2025-08-20T15:22:21.091Z
Updated: 2025-08-20T15:45:41.860Z

Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15.

Published: 2025-08-20T15:22:16.058Z
Updated: 2025-08-20T15:47:04.165Z

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users.

Published: 2025-06-30T17:19:31.543Z
Updated: 2025-06-30T18:01:16.717Z

Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading.

Published: 2025-06-30T17:12:50.590Z
Updated: 2025-06-30T20:39:38.755Z

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There are no workarounds for this issue other than upgrading.

Published: 2025-06-30T17:05:36.027Z
Updated: 2025-06-30T20:40:43.365Z

In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the `dt` parameter.

Published: 2025-09-15T00:00:00.000Z
Updated: 2025-09-15T19:13:03.103Z

Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for the issue. No known workarounds are available.

Published: 2025-03-26T16:18:31.638Z
Updated: 2025-03-31T13:12:27.821Z

Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There's no workaround to fix this without upgrading.

Published: 2025-03-25T15:05:42.656Z
Updated: 2025-03-25T15:52:36.718Z

Frappe is a full-stack web application framework. Prior to versions 14.91.0 and 15.52.0, a system user was able to create certain documents in a specific way that could lead to remote code execution. Versions 14.9.1 and 15.52.0 contain a patch for the vulnerability. There's no workaround; an upgrade is required.

Published: 2025-03-25T14:55:04.949Z
Updated: 2025-03-25T15:04:26.512Z

Frappe is a full-stack web application framework. An SQL Injection vulnerability has been identified in Frappe Framework prior to versions 14.89.0 and 15.51.0 which could allow a malicious actor to access sensitive information. Versions 14.89.0 and 15.51.0 fix the issue. Upgrading is required; no other workaround is present.

Published: 2025-03-25T14:21:32.405Z
Updated: 2025-03-25T14:41:42.114Z

Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it allowed redirect to untrusted external URls. This behaviour can be used by malicious actors for phishing. This vulnerability is fixed in 15.26.0 and 14.74.0.

Published: 2024-05-09T14:25:25.979Z
Updated: 2024-08-02T02:43:00.126Z

Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available.

Published: 2024-03-20T18:11:58.069Z
Updated: 2024-08-02T17:38:02.805Z

Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available.

Published: 2024-03-20T18:11:34.165Z
Updated: 2024-08-05T19:24:50.323Z

Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting (XSS) which can be used to inject malicious JS code if user clicks on a malicious link. This vulnerability has been patched in versions 14.59.0 and 15.5.0. No known workarounds are available.

Published: 2024-02-07T15:03:29.677Z
Updated: 2024-08-01T23:28:12.777Z

Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been patched in version 14.49.0.

Published: 2023-10-23T14:29:01.888Z
Updated: 2024-09-11T15:23:48.149Z

Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0. Users are advised to upgrade. There's no workaround to fix this without upgrading.

Published: 2023-09-06T17:46:45.689Z
Updated: 2024-09-26T15:23:38.217Z

A vulnerability was found in Frappe. It has been rated as problematic. Affected by this issue is some unknown functionality of the file frappe/templates/includes/navbar/navbar_search.html of the component Search. The manipulation of the argument q leads to cross site scripting. The attack may be launched remotely. The name of the patch is bfab7191543961c6cb77fe267063877c31b616ce. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-213560.

Published: 2022-11-14T00:00:00.000Z
Updated: 2025-04-15T13:14:17.399Z

ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.

Published: 2022-06-22T07:30:21.429Z
Updated: 2024-09-16T17:37:58.854Z

In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.

Published: 2022-06-22T07:25:11.161Z
Updated: 2024-09-16T17:14:26.886Z

In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.

Published: 2022-06-22T08:25:10.197Z
Updated: 2024-09-16T17:53:19.267Z

Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API.

Published: 2020-12-11T22:10:40.000Z
Updated: 2024-08-04T17:02:06.756Z

In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security.

Published: 2020-12-11T15:13:30.000Z
Updated: 2024-08-04T16:18:44.347Z

public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted "changed value of" text.

Published: 2019-08-27T17:17:30.000Z
Updated: 2024-08-05T00:56:22.307Z

An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability.

Published: 2019-08-12T17:21:30.000Z
Updated: 2024-08-05T00:34:52.593Z

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection.

Published: 2019-08-12T17:21:44.000Z
Updated: 2024-08-05T00:34:53.056Z

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists.

Published: 2019-08-12T17:21:58.000Z
Updated: 2024-08-05T00:34:52.391Z

[ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter.

Published: 2017-10-04T01:00:00.000Z
Updated: 2024-09-17T01:40:58.056Z