CVE-2026-3673

An authenticated attacker can store a crafted tag value in usertags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping. This issue affects...

CVE-2026-29077

Frappe (full‑stack web application framework) is affected by CVE-2026-29077 due to a lack of validation when sharing documents, enabling a user to share a document with a permission they themselves do not possess. Affected versions are prior to 15.98.0 and 14.100.0. The issue has been patched in ...

EUVD-2025-200968

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting XSS. Successful...

Open Redirect

Overview frappe is a Low Code Open Source Framework in Python and JS. Affected versions of this package are vulnerable to Open Redirect via the redirect argument on the login page when a specially crafted URL is provided. An attacker can redirect users to arbitrary external sites by supplying a...

EUVD-2022-44890

Malicious code in bioql PyPI...

CVE-2025-56380

Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.getvalue API endpoint and a crafted script to the fieldname parameter...

CVE-2022-41712

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the importfile parameter...

Design/Logic Flaw

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the importfile parameter...

CVE-2022-41712

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the importfile parameter...

CVE-2017-1000120

ERPNextFrappe Version = 7.1.27 SQL injection vulnerability in frappe.share.getusers allows remote authenticated users to execute arbitrary SQL commands via the fields parameter...

Sql injection

ERPNextFrappe Version = 7.1.27 SQL injection vulnerability in frappe.share.getusers allows remote authenticated users to execute arbitrary SQL commands via the fields parameter...