Frappe

Frappe

61 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.9

CVE-2026-41581

  • EPSS 0.23%
  • Veröffentlicht 12.06.2026 14:22:46
  • Zuletzt bearbeitet 12.06.2026 15:56:54

Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, there is a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0.

6.9

CVE-2026-47739

  • EPSS 0.26%
  • Veröffentlicht 12.06.2026 14:22:21
  • Zuletzt bearbeitet 12.06.2026 15:56:54

Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, stored XSS in Note was possible due to lack of sanitization. This issue has been patched in versions 15.106.0 and 16.16.0.

8.7

CVE-2026-39352

  • EPSS 1.28%
  • Veröffentlicht 20.05.2026 19:27:01
  • Zuletzt bearbeitet 21.05.2026 15:24:25

Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.

5.4

CVE-2026-3837

Exploit
  • EPSS 0.19%
  • Veröffentlicht 22.04.2026 19:52:56
  • Zuletzt bearbeitet 14.05.2026 21:24:47

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw H...

5.4

CVE-2026-3673

Exploit
  • EPSS 0.2%
  • Veröffentlicht 22.04.2026 19:32:36
  • Zuletzt bearbeitet 12.05.2026 15:48:35

An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element...

9.1

CVE-2026-31017

  • EPSS 0.25%
  • Veröffentlicht 08.04.2026 00:00:00
  • Zuletzt bearbeitet 14.04.2026 15:46:59

A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs fro...

9.1

CVE-2026-39351

  • EPSS 0.26%
  • Veröffentlicht 07.04.2026 18:52:01
  • Zuletzt bearbeitet 10.04.2026 19:30:28

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.

9.8

CVE-2026-35614

  • EPSS 0.26%
  • Veröffentlicht 07.04.2026 16:42:12
  • Zuletzt bearbeitet 13.04.2026 12:57:24

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This vulnerability is fixed in 16.14.0 and 15.104.0.

5.4

CVE-2026-31879

  • EPSS 0.14%
  • Veröffentlicht 11.03.2026 18:34:18
  • Zuletzt bearbeitet 13.03.2026 17:48:48

Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to store...

5

CVE-2026-31878

  • EPSS 0.18%
  • Veröffentlicht 11.03.2026 18:32:04
  • Zuletzt bearbeitet 13.03.2026 17:49:29

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnera...