Frappe

Frappe

46 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.1

CVE-2026-31017

  • EPSS 0.02%
  • Veröffentlicht 08.04.2026 00:00:00
  • Zuletzt bearbeitet 14.04.2026 15:46:59

A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs fro...

9.1

CVE-2026-39351

  • EPSS 0.03%
  • Veröffentlicht 07.04.2026 18:52:01
  • Zuletzt bearbeitet 10.04.2026 19:30:28

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.

9.8

CVE-2026-35614

  • EPSS 0.03%
  • Veröffentlicht 07.04.2026 16:42:12
  • Zuletzt bearbeitet 13.04.2026 12:57:24

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This vulnerability is fixed in 16.14.0 and 15.104.0.

5.4

CVE-2026-31879

  • EPSS 0.03%
  • Veröffentlicht 11.03.2026 18:34:18
  • Zuletzt bearbeitet 13.03.2026 17:48:48

Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to store...

5

CVE-2026-31878

  • EPSS 0.03%
  • Veröffentlicht 11.03.2026 18:32:04
  • Zuletzt bearbeitet 13.03.2026 17:49:29

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnera...

9.8

CVE-2026-31877

  • EPSS 0.07%
  • Veröffentlicht 11.03.2026 18:28:35
  • Zuletzt bearbeitet 13.03.2026 17:50:26

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This...

8.8

CVE-2026-29081

  • EPSS 0.04%
  • Veröffentlicht 05.03.2026 20:23:13
  • Zuletzt bearbeitet 09.03.2026 18:44:27

Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issu...

7.1

CVE-2026-29077

  • EPSS 0.06%
  • Veröffentlicht 05.03.2026 20:22:09
  • Zuletzt bearbeitet 09.03.2026 19:04:25

Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patche...

7.2

CVE-2026-28436

  • EPSS 0.04%
  • Veröffentlicht 05.03.2026 20:21:35
  • Zuletzt bearbeitet 09.03.2026 19:05:28

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. Thi...

6.1

CVE-2026-25956

  • EPSS 0.03%
  • Veröffentlicht 10.02.2026 17:39:20
  • Zuletzt bearbeitet 17.02.2026 15:05:39

Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user si...