CVE-2026-44448

< 15.102.0

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to en

5.9MEDIUM

CVE-2026-44447

< 16.9.0

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL inject

8.8HIGH

CVE-2026-44446

< 15.104.3

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable

8.8HIGH

CVE-2026-44445

< 15.104.3

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML

6.5MEDIUM

CVE-2026-44442

< 16.9.1

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper a

9.9CRITICAL

CVE-2026-44441

< 15.106.0

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a

5.0MEDIUM

CVE-2026-44440

< 15.101.1

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pa

6.5MEDIUM

CVE-2026-38432

<= 15.103.1

ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission

6.1MEDIUM

CVE-2026-38431

<= 15.103.1

ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit

9.8CRITICAL

CVE-2023-54345

all versions

Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with S

8.8HIGH

CVE-2026-41430

< 0.16.0

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (S

6.1MEDIUM

CVE-2026-41317

< 0.9.0

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (S

7.5HIGH

CVE-2026-3837

all versions

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another

5.4MEDIUM

CVE-2026-3673

all versions

An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the lis

5.4MEDIUM

CVE-2026-41320

< 14.38.1

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted

6.5MEDIUM

CVE-2026-40889

< 15.58.2

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users

6.5MEDIUM

CVE-2026-40888

< 15.58.1

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated use

6.5MEDIUM

CVE-2026-39415

>= 2.0.0 and < 2.46.0

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerab

4.3MEDIUM

CVE-2026-31017

all versions

A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framewor

9.1CRITICAL

CVE-2026-39351

< 15.104.0

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API

9.1CRITICAL

CVE-2026-35614

< 15.104.0

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This v

9.8CRITICAL

CVE-2026-34606

>= 2.27.0 and < 2.48.0

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to befo

6.1MEDIUM

CVE-2026-32954

< 15.100.0

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were

7.1HIGH

CVE-2026-31879

< 14.100.2

Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improp

5.4MEDIUM

CVE-2026-31878

< 14.100.1

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted r

5.0MEDIUM

CVE-2026-31877

< 14.99.0

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endp

9.8CRITICAL

CVE-2026-29081

< 14.100.1

Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injec

6.5MEDIUM

CVE-2026-29077

< 14.100.0

Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing

7.1HIGH

CVE-2026-28436

< 15.102.0

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL

7.2HIGH

CVE-2026-27471

< 15.98.1

ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, cer

9.1CRITICAL

CVE-2026-26977

>= 2.0.0 and < 2.45.0

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and belo

5.3MEDIUM

CVE-2026-26031

>= 2.0.0 and < 2.44.0

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.44.0, security i

5.3MEDIUM

CVE-2026-25956

< 14.99.14

Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL fo

6.1MEDIUM

CVE-2025-65924

<= 15.88.1

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically <a> hyperlinks in fields that are intended for p

4.1MEDIUM

CVE-2025-65923

<= 15.88.1

A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when usin

5.4MEDIUM

CVE-2026-23497

>= 2.0.0 and < 2.45.0

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, ther

5.4MEDIUM

CVE-2025-68953

< 14.99.6

Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are

7.5HIGH

CVE-2025-68929

< 14.99.6

Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permi

9.0CRITICAL

CVE-2025-68928

< 1.56.2

Frappe CRM is an open-source customer relationship management tool. Prior to version 1.56.2, authenticated users could set crafted

5.4MEDIUM

CVE-2025-67289

all versions

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrar

9.6CRITICAL

CVE-2025-66440

<= 15.89.0

An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doct

8.8HIGH

CVE-2025-66439

<= 15.89.0

An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doct

8.8HIGH

CVE-2025-66438

<= 15.89.0

A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanis

8.8HIGH

CVE-2025-66437

<= 15.89.0

An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0.

8.8HIGH

CVE-2025-66436

<= 15.89.0

An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.

4.3MEDIUM

CVE-2025-66435

<= 15.89.0

An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.

4.3MEDIUM

CVE-2025-66434

<= 15.89.0

An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.8

8.8HIGH

CVE-2025-67734

>= 2.0.0 and < 2.42.0

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 al

5.4MEDIUM

CVE-2025-67730

>= 2.0.0 and < 2.42.0

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 al

5.4MEDIUM

CVE-2025-10655

all versions

SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters int

8.8HIGH

CVE-2025-66581

< 2.41.0

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in

6.5MEDIUM

CVE-2025-65267

all versions

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed mal

9.0CRITICAL

CVE-2025-66206

< 14.99.2

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, certain requests were vulnerable to path traversal

6.8MEDIUM

CVE-2025-66205

< 14.99.2

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based S

7.1HIGH

CVE-2025-11461

all versions

Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic

8.8HIGH

CVE-2025-64707

>= 2.0.0 and < 2.41.0

Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41

5.4MEDIUM

CVE-2025-64705

>= 2.0.0 and < 2.41.0

Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41

4.3MEDIUM

CVE-2025-62779

>= 2.0.0 and < 2.39.2

Frappe Learning is a learning system that helps users structure their content. In Frappe Learning 2.39.1 and earlier, users were a

5.4MEDIUM

CVE-2025-62778

>= 2.0.0 and < 2.39.2

Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where stud

5.3MEDIUM

CVE-2025-62407

< 14.98.0

Frappe is a full-stack web application framework. Prior to 14.98.0 and 15.83.0, an open redirect was possible through the redirec

6.1MEDIUM

CVE-2025-62158

all versions

Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored

5.3MEDIUM

CVE-2025-11283

all versions

A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing m

2.4LOW

CVE-2025-11282

>= 2.34.0 and <= 2.35.0

A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix

2.4LOW

CVE-2025-11281

all versions

A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the comp

5.0MEDIUM

CVE-2025-11280

all versions

A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Pictur

3.7LOW

CVE-2025-56381

all versions

ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get en

6.5MEDIUM

CVE-2025-56380

all versions

Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client

6.5MEDIUM

CVE-2025-56379

all versions

A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitra

5.4MEDIUM

CVE-2025-52042

all versions

In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_

8.2HIGH

CVE-2025-52041

all versions

In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation

8.2HIGH

CVE-2025-52040

all versions

In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, whi

8.2HIGH

CVE-2025-52039

all versions

In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/materi

8.2HIGH

CVE-2025-52050

all versions

In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loya

6.5MEDIUM

CVE-2025-52049

all versions

In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnera

6.5MEDIUM

CVE-2025-52047

all versions

In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, wh

6.5MEDIUM

CVE-2025-52043

all versions

In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_imp

6.5MEDIUM

CVE-2025-59415

>= 2.0.0 and < 2.35.0

Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security v

4.6MEDIUM

CVE-2025-52044

all versions

In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allow

7.5HIGH

CVE-2025-52048

>= 14.0.0 and < 14.96.10

In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at frappe/desk/doctype/tag/tag.py is vulne

6.5MEDIUM

CVE-2025-58439

< 14.89.2

ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of val

8.1HIGH

CVE-2025-55732

< 14.96.15

Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through

7.5HIGH

CVE-2025-55731

< 14.96.15

Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not

8.8HIGH

CVE-2025-55006

>= 2.0.0 and < 2.34.0

Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload func

4.3MEDIUM

CVE-2025-52898

< 14.94.3

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to

8.8HIGH

CVE-2025-52896

< 14.94.2

Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefull

5.4MEDIUM

CVE-2025-52895

< 14.94.3

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a spe

7.5HIGH

CVE-2025-28062

all versions

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attac

8.1HIGH

CVE-2025-30217

< 14.93.2

Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been id

7.5HIGH

CVE-2025-30214

< 14.89.0

Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to inf

7.5HIGH

CVE-2025-30213

< 14.91.0

Frappe is a full-stack web application framework. Prior to versions 14.91.0 and 15.52.0, a system user was able to create certain

8.8HIGH

CVE-2025-30212

< 14.89.0

Frappe is a full-stack web application framework. An SQL Injection vulnerability has been identified in Frappe Framework prior to

7.5HIGH

CVE-2024-34074

< 14.74.0

Frappe is a full-stack web application framework. Prior to 15.26.0 and 14.74.0, the login page accepts redirect argument and it al

6.1MEDIUM

CVE-2024-27105

< 14.66.3

Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using cer

8.1HIGH

CVE-2024-24813

< 14.64.0

Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whiteliste

7.5HIGH

CVE-2024-24812

< 14.59.0

Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client s

5.4MEDIUM

CVE-2023-46127

< 14.49.0

Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side lib

5.4MEDIUM

CVE-2023-5555

all versions

Cross-site Scripting (XSS) - Generic in GitHub repository frappe/lms prior to 5614a6203fb7d438be8e2b1e3030e4528d170ec4.

6.1MEDIUM

CVE-2023-42807

<= 1.0.0

Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL

6.3MEDIUM

CVE-2023-41328

< 13.46.1

Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frap

4.2MEDIUM

CVE-2022-41712

all versions

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the applicat

6.5MEDIUM

CVE-2022-3988

<= 14.14.3

A vulnerability was found in Frappe. It has been rated as problematic. Affected by this issue is some unknown functionality of the

3.5LOW

CVE-2022-28598

all versions

Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable inp

6.1MEDIUM

CVE-2022-23055

>= 11.0.4 and < 13.1.0

In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low

CVE-2022-23058

>= 12.0.9 and < 13.1.0

ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious

CVE-2022-23057

>= 12.0.9 and < 13.1.0

In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated p

5.4MEDIUM

CVE-2022-23056

>= 13.0.1 and < 13.30.0

In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low

CVE-2020-35175

>= 12.0.0 and <= 12.12.0

Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API.

5.3MEDIUM

CVE-2020-27508

< 12.10.0

In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa secu

7.5HIGH

CVE-2020-6145

all versions

An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP

8.8HIGH

CVE-2019-20521

all versions

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.

6.1MEDIUM

CVE-2019-20520

all versions

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.

6.1MEDIUM

CVE-2019-20519

all versions

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.

6.1MEDIUM

CVE-2019-20518

all versions

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.

6.1MEDIUM

CVE-2019-20517

all versions

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.

6.1MEDIUM

CVE-2019-20516

all versions

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI.

6.1MEDIUM

CVE-2019-20515

all versions

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI.

6.1MEDIUM

CVE-2019-20514

all versions

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.

6.1MEDIUM

CVE-2019-20529

all versions

In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being store

7.5HIGH

CVE-2019-20511

all versions

ERPNext 11.1.47 allows blog?blog_category= Frame Injection.

6.1MEDIUM

CVE-2019-15700

>= 12.0.0 and <= 12.0.8

public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is af

6.1MEDIUM

CVE-2019-14967

>= 11.0.0 and < 11.1.46

An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability.

6.1MEDIUM

CVE-2019-14966

>= 10.0.0 and <= 12.0.4

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection.

8.8HIGH

CVE-2019-14965

>= 10.0.0 and < 12.0.4

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists.

9.8CRITICAL

CVE-2018-20061

>= 10.0.0 and <= 10.1.76

A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in

7.5HIGH

CVE-2018-3885

all versions

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can

8.8HIGH

CVE-2018-3884

all versions

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can

8.8HIGH

CVE-2018-3883

all versions

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can

8.8HIGH

CVE-2018-3882

all versions

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can

8.8HIGH

CVE-2018-11339

all versions

An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.

6.1MEDIUM

CVE-2017-1000120

<= 7.1.27

[ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to exe

8.8HIGH