Known Vulnerabilities for products from Frappe
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Frappe".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-41320 json | Not Provided | 2026-04-21 | 2026-04-22 | |
| CVE-2026-40889 json | Not Provided | 2026-04-21 | 2026-04-22 | |
| CVE-2026-40888 json | Not Provided | 2026-04-21 | 2026-04-21 | |
| CVE-2026-39415 json | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vul... | Not Provided | 2026-04-08 | 2026-04-13 |
| CVE-2026-39351 json | Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access vi... | Not Provided | 2026-04-07 | 2026-04-10 |
| CVE-2026-35614 json | Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. T... | Not Provided | 2026-04-07 | 2026-04-13 |
| CVE-2026-34606 json | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to... | Not Provided | 2026-04-02 | 2026-04-07 |
| CVE-2026-31017 json | A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Fra... | Not Provided | 2026-04-08 | 2026-04-14 |
| CVE-2026-3837 json | Not Provided | 2026-04-22 | 2026-04-22 | |
| CVE-2026-3673 json | Not Provided | 2026-04-22 | 2026-04-22 | |
| CVE-2025-10655 json | SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameter... | Not Provided | 2025-12-09 | 2026-04-14 |
| CVE-2023-46127 json | Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client sid... | 5.4 - MEDIUM | 2023-10-23 | 2023-10-31 |
| CVE-2023-42807 json | Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an... | 9.8 - CRITICAL | 2023-09-21 | 2023-09-25 |
| CVE-2023-41328 json | Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the... | 7.5 - HIGH | 2023-09-06 | 2023-09-11 |
| CVE-2023-5555 json | Cross-site Scripting (XSS) - Generic in GitHub repository frappe/lms prior to 5614a6203fb7d438be8e2b1e3030e4528d170ec4. | 6.1 - MEDIUM | 2023-10-12 | 2023-10-16 |
| CVE-2022-41712 json | Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the app... | 6.5 - MEDIUM | 2022-11-25 | 2022-11-30 |
| CVE-2022-28598 json | Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllabl... | 6.1 - MEDIUM | 2022-08-22 | 2023-04-06 |
| CVE-2022-23058 json | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur... | 3.5 - LOW | 2022-06-22 | 2023-11-07 |
| CVE-2022-23057 json | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur... | 5.4 - MEDIUM | 2022-06-22 | 2023-11-07 |
| CVE-2022-23056 json | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur... | 3.5 - LOW | 2022-06-22 | 2023-11-07 |