📦 Frappe

This vulnerability allows authenticated Frappe users with specific permissions to be tricked into clicking malicious links that execute arbitrary code on the server. It affects all Frappe installation...

This critical vulnerability in Frappe Framework's Attachments module allows attackers to upload malicious XML files that can lead to remote code execution. It affects all systems running Frappe Framew...

This vulnerability allows attackers to upload malicious SVG avatar images containing JavaScript payloads in ERPNext and Frappe Framework. When an administrator clicks to view the avatar, the JavaScrip...

This CVE describes a path traversal vulnerability in Frappe web framework that allows attackers to read arbitrary files from the server due to insufficient input sanitization. All Frappe installations...

This CVE describes an error-based SQL injection vulnerability in the Frappe web application framework. Attackers can exploit this to retrieve sensitive information like database version details. Organ...

This SQL injection vulnerability in the Frappe web application framework allows attackers to execute arbitrary SQL commands via specially crafted requests. It affects all Frappe installations prior to...

This SQL injection vulnerability in Frappe Framework allows attackers to execute arbitrary SQL queries through the application. It affects all Frappe Framework deployments prior to versions 14.93.2 an...

An SQL injection vulnerability in Frappe Framework allows attackers to execute arbitrary SQL commands through crafted inputs. This could lead to unauthorized access to sensitive database information. ...

This vulnerability in Frappe framework allows authenticated system users to create documents in a specific way that leads to remote code execution. It affects all Frappe installations running versions...

This vulnerability in Frappe framework allows attackers to make crafted requests that disclose sensitive information, potentially leading to account takeover. It affects all Frappe installations runni...

This vulnerability allows less privileged users to bypass file permission controls in Frappe framework, enabling them to delete or clone files they shouldn't have access to. It affects all Frappe inst...

This vulnerability allows attackers to craft malicious signup URLs for Frappe sites, which can lead to open redirects or reflected cross-site scripting (XSS) attacks when users sign up. It affects all...

This CVE describes a path traversal vulnerability in Frappe web framework that allows attackers to retrieve arbitrary files from the server if the full path is known. It affects direct deployments usi...

This CVE describes an open redirect vulnerability in Frappe web framework's login page. Attackers can craft malicious URLs that redirect users to arbitrary external sites after login. All Frappe appli...

A stored cross-site scripting (XSS) vulnerability in ERPNEXT v15.67.0 allows attackers to inject malicious scripts into blog posts, which execute when other users view the compromised content. This af...

This SQL injection vulnerability in Frappe Framework allows attackers to execute arbitrary SQL commands through the fieldname parameter in the frappe.client.get_value API endpoint. Attackers can poten...

CVE-2025-56381 allows attackers to execute arbitrary SQL commands in ERPNEXT through SQL injection vulnerabilities in the reportview API endpoint. This affects all ERPNEXT v15.67.0 installations with ...