Frappe

Stored XSS in Frappe's Report and List View components allows injection of persistent JavaScript payloads that execute in the browsers of any user who subsequently accesses the affected views. All Frappe deployments on the v15 branch prior to 15.107.2 and v16 branch prior to 16.17.4 are affected per the GitHub security advisory GHSA-rx63-c3fh-8926. No public exploit has been identified at time of analysis and the EPSS score of 0.02% (7th percentile) reflects low current exploitation probability, though the network-accessible nature of Frappe instances keeps this relevant for organizations running unpatched versions.

Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and modify resources without permission. All Frappe installations on the 15.x branch prior to 15.107.0 and the 16.x branch prior to 16.17.0 are affected. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% reflects minimal current exploitation activity, though the attack requires no credentials or special preconditions.

Improper access control in Frappe Framework (all versions prior to 16.17.4) allows any authenticated user to retrieve private files by guessing their server-side file path, bypassing intended authorization restrictions. The flaw is classified under CWE-284 (Improper Access Control) and affects the file-serving layer of the framework, which underlies widely deployed applications such as ERPNext. No public exploit code has been identified at time of analysis, and exploitation probability is very low per EPSS (0.02%, 7th percentile), though the low attack complexity makes it straightforward for any credentialed user to attempt.

Improper access control in Frappe prior to 16.17.4 permits any authenticated user to modify any field in any Onboarding Step record, bypassing expected privilege restrictions. Affected deployments running versions below 16.17.4 expose their onboarding configuration data to unauthorized tampering by low-privileged users. EPSS is extremely low (0.02%, 5th percentile), no public exploit code has been identified, and the vulnerability is not listed in CISA KEV, suggesting no observed active exploitation at time of analysis.

Missing authorization in Frappe allows any authenticated low-privileged user to invoke the onboarding reset function and wipe onboarding state for all users system-wide, affecting all releases before 15.107.2 and 16.17.4. The CWE-862 root cause indicates the reset endpoint performs no role or privilege check before executing a privileged, system-wide operation. No public exploit code exists and EPSS sits at 0.02% (5th percentile), placing real-world exploitation risk at the lower end despite the disruptive potential of forcing every user through onboarding flows on next login.

DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthenticated remote attackers via a vulnerable endpoint. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, making this accessible to any internet-facing instance. While limited to low confidentiality impact (VC:L) with no integrity or availability consequences, schema information can inform targeted follow-on attacks against the application's data layer. No public exploit has been identified at time of analysis, and EPSS of 0.02% (7th percentile) indicates low current exploitation probability.

Insecure Direct Object Reference (IDOR) in the Frappe full-stack web application framework exposes email configuration details of arbitrary users to any authenticated account. The flaw exists in versions prior to 15.107.0 (v15 branch) and 16.17.0 (v16 branch), allowing a low-privilege authenticated attacker to enumerate and read email settings belonging to other users by manipulating object references in requests. No public exploit has been identified and the issue is not listed in CISA KEV, though the low EPSS score (0.02%) and network-accessible vector warrant patching, particularly for multi-tenant Frappe deployments.

Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthenticated network callers who can bypass access controls and write discussion data to resources they do not own. All Frappe deployments running versions prior to 15.107.0 (v15 branch) or 16.17.0 (v16 branch) are affected, with impact limited to low-severity integrity writes and no confidentiality or availability consequence. No public exploit code exists and EPSS probability is 0.03% (9th percentile), indicating low opportunistic exploitation pressure despite the unauthenticated network attack vector.

Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browsers of any user who views the compromised profile. Affected versions are all Frappe releases prior to 15.106.0. No public exploit code or CISA KEV listing exists at time of analysis; EPSS of 0.02% (7th percentile) reflects low observed exploitation activity, though stored XSS in a shared framework carries inherent persistence risk across all applications built on Frappe.

SQL Injection in the Frappe full-stack web framework's get_blog_list function allows unauthenticated remote attackers to manipulate database queries, leading to limited data read and write access. Frappe versions prior to 15.106.0 (v15 branch) and 16.16.0 (v16 branch) are affected across all deployments that expose the blog module. No public exploit code has been identified and exploitation probability is very low per EPSS (0.02%), though the network-accessible, unauthenticated attack surface warrants prompt patching for internet-facing instances.

Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious JavaScript that executes in the browsers of users who subsequently view the poisoned note. All Frappe deployments on the v15 branch prior to 15.106.0 and the v16 branch prior to 16.16.0 are affected. No public exploit or CISA KEV listing exists at time of analysis; vendor-confirmed patches are available and should be applied promptly given the ease of exploitation once an attacker holds any valid user account.

Arbitrary file read in the Frappe full-stack web application framework allows remote unauthenticated attackers to retrieve files outside intended directories via path traversal sequences in affected versions prior to 15.105.0 and 16.15.0. The CVSS 4.0 base score of 8.7 reflects high confidentiality impact with no required privileges or user interaction, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Successful exploitation discloses sensitive server-side files such as configuration secrets, site keys, or credentials used by downstream ERPNext deployments.

Stored cross-site scripting (XSS) in Frappe 16.10.0 allows authenticated attackers with high privileges to inject malicious scripts into document fields, which execute in the browser of any user who subsequently opens the affected document in Desk. The vulnerability stems from unsafe HTML interpolation in multiple formatter implementations that fail to escape user-supplied values, enabling persistent client-side code execution with limited scope (low integrity/availability impact). CVSS 4.6 reflects the requirement for authenticated high-privilege access and user interaction, but the XSS vector represents a significant persistence and social engineering risk in collaborative document environments.

Stored cross-site scripting (XSS) in Frappe 16.10.10 allows authenticated attackers with high privileges to inject malicious JavaScript via crafted tag values in the _user_tags field, which execute when victims open list or report views. The vulnerability stems from unescaped interpolation of tag content into HTML attributes and element content. Exploitation requires user interaction (victim must open affected view) and high-level authentication, but results in session hijacking or data theft with partial technical impact; CISA SSVC framework rates this as exploitable via proof-of-concept with partial technical impact.

Frappe web application framework prior to versions 16.14.0 and 15.104.0 allows unauthenticated remote attackers to bypass access controls and retrieve restricted Doctype data through API endpoints, resulting in information disclosure of sensitive application data. The vulnerability is tagged as an authentication bypass with a CVSS 6.9 score and exploits missing authorization checks on API methods.

SQL injection in Frappe's bulk_update function enables unauthenticated remote attackers to execute arbitrary SQL commands, potentially achieving complete database compromise including data exfiltration, modification, and deletion. Affects Frappe versions prior to 16.14.0 and 15.104.0. CVSS 9.3 (Critical) reflects network-accessible attack requiring no authentication or user interaction. No public exploit identified at time of analysis, though the attack surface (bulk update API endpoint) and vulnerability class (SQL injection) are well-understood by attackers.

Frappe is a full-stack web application framework. versions up to 14.100.2 is affected by cross-site scripting (xss).

Frappe is a full-stack web application framework. versions up to 14.100.1 is affected by server-side request forgery (ssrf) (CVSS 5.0).

SQL injection in Frappe framework before 15.84.0/14.99.0.

Frappe versions prior to 14.100.1 and 15.100.0 contain a SQL injection vulnerability in an endpoint that allows authenticated attackers to extract sensitive information from the database. An attacker with valid credentials can craft malicious requests to bypass query protections and access confidential data without modifying or disrupting system availability. No patch is currently available for affected deployments.

Frappe versions prior to 15.98.0 and 14.100.0 contain an improper access control vulnerability that allows authenticated users to grant document permissions they do not possess to other users. An attacker with valid credentials could escalate privileges by sharing documents with elevated permissions, potentially exposing sensitive information or enabling unauthorized modifications. No patch is currently available.

Stored cross-site scripting in Frappe versions prior to 16.11.0 and 15.102.0 allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers through malicious image URLs in avatar fields and website comments. The vulnerability affects any user viewing a page containing the compromised avatar, enabling session hijacking, credential theft, or malware distribution without user interaction.

Malicious signup URLs in Frappe versions prior to 14.99.14 and 15.94.0 can redirect users to attacker-controlled sites or execute reflected XSS payloads during the registration process. An attacker can craft a crafted signup link to trick users into visiting malicious destinations or having malicious scripts executed in their browsers. A patch is available in the fixed versions.

Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. [CVSS 7.5 HIGH]

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, certain requests were vulnerable to path traversal attacks, wherein some files from the server could be retrieved if the full path was known. Sites hosted on Frappe Cloud, and even other setups that are behind a reverse proxy like NGINX are unaffected. This would mainly affect someone directly using werkzeug/gunicorn. In those cases, either an upgrade or changing the setup to use a reverse proxy is recommended. This vulnerability is fixed in 15.86.0 and 14.99.2.

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2.

ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.

Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter

A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field.

In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Frappe is a full-stack web application framework. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

Frappe is a full-stack web application framework. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users.

Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading.

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There are no workarounds for this issue other than upgrading.

Frappe is a full-stack web application framework. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Frappe is a full-stack web application framework. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Frappe is a full-stack web application framework. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Frappe is a full-stack web application framework. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.