frappe

Top products

The 15 most recently published vulnerabilities affecting frappe.

• CVE-2026-45081Frappe HR: Permission Bypass in HRMS Leave Details API6.5May 27, 2026
• CVE-2026-44448ERPNext: Unauthorised Document modification due to missing validation5.9May 13, 2026
• CVE-2026-44447ERPNext: Possibility of SQL Injection due to missing validation8.8May 13, 2026
• CVE-2026-44446ERPNext: Possibility of SQL Injection due to missing validation8.8May 13, 2026
• CVE-2026-44445ERPNext: XML External Entity (XEE) Reference Vulnerability in the EDI Module6.5May 13, 2026
• CVE-2026-44441ERPNext: Possible SSRF by any authenticated user5.0May 13, 2026
• CVE-2026-44440ERPNext: Path Traversal Leading to Sensitive File Exposure6.5May 13, 2026
• CVE-2026-44442ERPNext: Unauthorised Document modification due to missing validation9.9May 13, 2026
• CVE-2023-54345Frappe Framework ERPNext 13.4.0 Remote Code Execution8.8May 5, 2026
• CVE-2026-38432ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript ...6.1May 5, 2026
• CVE-2026-38431ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed ...9.8May 5, 2026
• CVE-2026-41430Press vulnerable to reflected XSS on login redirection6.1Apr 24, 2026
• CVE-2026-41317Frappe Press has an unsafe HTTP method / CSRF-adjacent issue on API secret generation7.5Apr 24, 2026
• CVE-2026-3837Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters5.4Apr 22, 2026
• CVE-2026-3673Frappe Framework 16.10.0 - Stored DOM XSS in Tag Pill Renderer5.4Apr 22, 2026