Lucene search
K

398 matches found

NVD
NVD
added 3 days ago6 views

CVE-2026-48127

Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API endpoints such as addattachments. This issue is fixed in versions 16.20.0 and 15.110.0...

5.3CVSS0.00369EPSS
Exploits0References9
NVD
NVD
added 3 days ago5 views

CVE-2026-47422

Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been fixed. This vulnerability is fixed in 15.107.5 and 16.18.2...

5.3CVSS0.00278EPSS
Exploits0References1
NVD
NVD
added 3 days ago7 views

CVE-2026-49394

Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the updatepage endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0...

7.1CVSS0.00307EPSS
Exploits0References6
NVD
NVD
added 3 days ago7 views

CVE-2026-41482

Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in the Chrome PDF Generator. This issue is fixed in version 16.18.3...

7.1CVSS0.00338EPSS
Exploits0References6
NVD
NVD
added 3 days ago6 views

CVE-2026-42219

Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via downloadbackups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0...

6.9CVSS0.00457EPSS
Exploits0References9
Cvelist
Cvelist
added 3 days ago29 views

CVE-2026-55852 Frappe: TarSlip RCE in Package Import

Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0...

8.6CVSS0.00457EPSS
Exploits0References9
CVE
CVE
added 3 days ago8 views

CVE-2026-55852

Technical details are not publicly available in the provided documents. Monitor for updates.

8.6CVSS6.1AI score0.00457EPSS
Exploits0References9
CVE
CVE
added 3 days ago10 views

CVE-2026-49394

Frappe CVE-2026-49394: Before version 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because the Workspace Manager edit check was not enforced for public workspaces. The issue is fixed in 16.19.0. The CVSS metrics indicate a NETWORK attack vector, LOW access ...

7.1CVSS6.1AI score0.00307EPSS
Exploits0References6
CVE
CVE
added 3 days ago9 views

CVE-2026-48127

Frappe CVE-2026-48127 concerns an attacker could exploit attachment handling to inject arbitrary attachments in Doctypes. Specifically, prior to version 16.20.0 and 15.110.0, users without write access could attach files to any doctype via file-handling endpoints such as add_attachments. The issu...

5.3CVSS6.1AI score0.00369EPSS
Exploits0References9
Cvelist
Cvelist
added 3 days ago28 views

CVE-2026-41482 Frappe: Possible Path Traversal and Local File Inclusion via Chrome PDF Generator

Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in the Chrome PDF Generator. This issue is fixed in version 16.18.3...

7.1CVSS0.00338EPSS
Exploits0References6
CVE
CVE
added 3 days ago8 views

CVE-2026-41482

Technical details of CVE-2026-41482 are not publicly available in the provided connected documents. Monitor for updates and refer to the initial description for basic vulnerability context (Frappe Chrome PDF Generator path traversal/LFI fixed in 16.18.3).

7.1CVSS6.1AI score0.00338EPSS
Exploits0References6
Cvelist
Cvelist
added 3 days ago29 views

CVE-2026-47199 Frappe: check_safe_sql_query Permits SELECT INTO OUTFILE

Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, checksafesqlquery permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites if database permissions are not well aligned and MySQL FILE privileges are available. This issue is fixed in...

2.3CVSS0.00401EPSS
Exploits0References7
CVE
CVE
added 3 days ago8 views

CVE-2026-58503

Frappe CVE-2026-58503 affects the reset_password endpoint, allowing unauthenticated user enumeration prior to versions 16.16.0 and 15.106.0. The issue is mitigated by the fixes introduced in 16.16.0 and 15.106.0. The CVSS metrics (v4.0) indicate NETWORK access with low attack complexity and no pr...

6.9CVSS6.1AI score0.00354EPSS
Exploits0References7
CVE
CVE
added 3 days ago7 views

CVE-2026-47422

CVE-2026-47422 affects the Frappe framework. An endpoint in reportview allowed unrestricted access to save_report due to missing permission checks prior to versions 15.107.5 and 16.18.2. The issue is fixed in those versions (15.107.5 and 16.18.2). The provided references include a GitHub advisory...

5.3CVSS6.1AI score0.00278EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-57325

Name of the Vulnerable Software and Affected Versions Frappe versions prior to 16.23.0 Frappe versions prior to 15.112.0 Description A TarSlip Remote Code Execution RCE issue exists in the Package Import feature. This occurs because members of tarfiles are not sufficiently validated before...

8.6CVSS6.3AI score0.00457EPSS
Exploits0References13
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-57334

Name of the Vulnerable Software and Affected Versions Frappe versions prior to 16.16.0 Frappe versions prior to 15.106.0 Description User enumeration is possible through the 'reset password' endpoint. User enumeration is a technique used to verify if a specific user exists within a system by...

6.9CVSS6.1AI score0.00354EPSS
Exploits0References11
EUVD
EUVD
added 2026/06/24 6:32 p.m.5 views

EUVD-2026-38796

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.getavatar function...

4.6CVSS5.8AI score0.00256EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/24 6:32 p.m.6 views

EUVD-2026-38803

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component...

4.8CVSS5.8AI score0.00239EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/24 6:32 p.m.8 views

EUVD-2026-38807

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component...

4.6CVSS5.8AI score0.00256EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/24 6:32 p.m.6 views

EUVD-2026-38805

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications Events panel...

4.8CVSS5.8AI score0.00239EPSS
Exploits0References3
Rows per page
Query Builder