Known Vulnerabilities for products from Frappe
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Frappe".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-41430 json | Not Provided | 2026-04-24 | 2026-04-24 | |
| CVE-2026-41320 json | Not Provided | 2026-04-21 | 2026-04-22 | |
| CVE-2026-41317 json | Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-servi... | Not Provided | 2026-04-24 | 2026-04-30 |
| CVE-2026-40889 json | Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated u... | Not Provided | 2026-04-21 | 2026-04-27 |
| CVE-2026-40888 json | Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticate... | Not Provided | 2026-04-21 | 2026-04-27 |
| CVE-2026-39415 json | Not Provided | 2026-04-08 | 2026-04-09 | |
| CVE-2026-39351 json | Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access vi... | Not Provided | 2026-04-07 | 2026-04-10 |
| CVE-2026-38432 json | ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permi... | Not Provided | 2026-05-05 | 2026-05-08 |
| CVE-2026-38431 json | ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or... | Not Provided | 2026-05-05 | 2026-05-08 |
| CVE-2026-35614 json | Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. T... | Not Provided | 2026-04-07 | 2026-04-13 |
| CVE-2026-34606 json | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to... | Not Provided | 2026-04-02 | 2026-04-07 |
| CVE-2026-31017 json | A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Fra... | Not Provided | 2026-04-08 | 2026-04-14 |
| CVE-2026-28436 json | Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image... | Not Provided | 2026-03-05 | 2026-04-29 |
| CVE-2026-3673 json | An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens th... | Not Provided | 2026-04-22 | 2026-05-12 |
| CVE-2025-11283 json | A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Execut... | Not Provided | 2025-10-05 | 2026-04-29 |
| CVE-2025-11282 json | A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplet... | Not Provided | 2025-10-05 | 2026-04-29 |
| CVE-2025-11281 json | A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the... | Not Provided | 2025-10-05 | 2026-04-29 |
| CVE-2025-11280 json | A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment P... | Not Provided | 2025-10-05 | 2026-04-29 |
| CVE-2025-10655 json | SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameter... | Not Provided | 2025-12-09 | 2026-04-14 |
| CVE-2023-46127 json | Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client sid... | 5.4 - MEDIUM | 2023-10-23 | 2023-10-31 |