Frappe

Erpnext

43 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.8

CVE-2025-66438

Exploit
  • EPSS 0.07%
  • Veröffentlicht 15.12.2025 00:00:00
  • Zuletzt bearbeitet 05.01.2026 18:20:23

A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of the html field inside a Pri...

9

CVE-2025-65267

  • EPSS 0.07%
  • Veröffentlicht 03.12.2025 15:15:55
  • Zuletzt bearbeitet 05.12.2025 18:35:19

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in sto...

6.5

CVE-2025-56381

Exploit
  • EPSS 0.03%
  • Veröffentlicht 02.10.2025 14:15:45
  • Zuletzt bearbeitet 03.10.2025 16:18:36

ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.

6.5

CVE-2025-56380

Exploit
  • EPSS 0.03%
  • Veröffentlicht 02.10.2025 14:15:45
  • Zuletzt bearbeitet 03.10.2025 16:18:50

Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter

5.4

CVE-2025-56379

Exploit
  • EPSS 0.02%
  • Veröffentlicht 02.10.2025 14:15:45
  • Zuletzt bearbeitet 03.10.2025 19:15:49

A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field.

8.2

CVE-2025-52042

Exploit
  • EPSS 0.04%
  • Veröffentlicht 01.10.2025 15:15:46
  • Zuletzt bearbeitet 03.10.2025 16:19:08

In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injec...

8.2

CVE-2025-52041

Exploit
  • EPSS 0.04%
  • Veröffentlicht 01.10.2025 15:15:46
  • Zuletzt bearbeitet 03.10.2025 16:19:17

In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQ...

8.2

CVE-2025-52040

Exploit
  • EPSS 0.04%
  • Veröffentlicht 01.10.2025 15:15:46
  • Zuletzt bearbeitet 03.10.2025 16:19:24

In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type pa...

8.2

CVE-2025-52039

Exploit
  • EPSS 0.04%
  • Veröffentlicht 01.10.2025 15:15:45
  • Zuletzt bearbeitet 03.10.2025 16:19:33

In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by inje...

6.5

CVE-2025-52047

Exploit
  • EPSS 0.03%
  • Veröffentlicht 30.09.2025 14:15:39
  • Zuletzt bearbeitet 03.10.2025 16:20:38

In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled para...