Frappe

Frappe

61 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.6

CVE-2026-50699

  • EPSS 0.31%
  • Veröffentlicht 24.06.2026 14:20:31
  • Zuletzt bearbeitet 25.06.2026 14:04:33

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger s...

6.9

CVE-2026-53568

  • EPSS 0.26%
  • Veröffentlicht 12.06.2026 14:45:11
  • Zuletzt bearbeitet 12.06.2026 16:17:58

Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4.

6.9

CVE-2026-50026

  • EPSS 0.26%
  • Veröffentlicht 12.06.2026 14:43:41
  • Zuletzt bearbeitet 12.06.2026 16:17:58

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.

5.3

CVE-2026-47182

  • EPSS 0.28%
  • Veröffentlicht 12.06.2026 14:39:57
  • Zuletzt bearbeitet 12.06.2026 16:17:58

Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.

5.3

CVE-2026-44976

  • EPSS 0.28%
  • Veröffentlicht 12.06.2026 14:38:00
  • Zuletzt bearbeitet 12.06.2026 16:20:22

Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.

5.3

CVE-2026-44975

  • EPSS 0.28%
  • Veröffentlicht 12.06.2026 14:35:55
  • Zuletzt bearbeitet 12.06.2026 16:17:58

Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4.

6.9

CVE-2026-44206

  • EPSS 0.31%
  • Veröffentlicht 12.06.2026 14:34:00
  • Zuletzt bearbeitet 12.06.2026 16:17:58

Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4.

6.9

CVE-2026-44207

  • EPSS 0.32%
  • Veröffentlicht 12.06.2026 14:27:58
  • Zuletzt bearbeitet 12.06.2026 16:17:58

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17....

6.9

CVE-2026-44208

  • EPSS 0.32%
  • Veröffentlicht 12.06.2026 14:26:17
  • Zuletzt bearbeitet 12.06.2026 16:17:58

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.1...

6.9

CVE-2026-44205

  • EPSS 0.26%
  • Veröffentlicht 12.06.2026 14:23:45
  • Zuletzt bearbeitet 12.06.2026 15:56:54

Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in v...