8 matches found
CVE-2025-52896
Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting XSS. This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds f...
CVE-2025-52896
Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting XSS. This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds f...
CVE-2025-52895
Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There...
CVE-2025-52896
CVE-2025-52896 affects Frappe (full‑stack web app framework). Prior to versions 14.94.2 and 15.57.0, authenticated users could upload crafted files via Data Import, causing cross‑site scripting (XSS). The issue is patched in 14.94.2 and 15.57.0; upgrade is the recommended remediation. No public w...
CVE-2025-52896 Frappe authenticated XSS via data import
Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting XSS. This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds f...
CVE-2025-30214
Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There's no workaround to fix this without upgrading...
CVE-2024-24813 Frappe SQL Injection from reporting logic
Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workaround...
CVE-2024-24812 Frappe Authenticated Reflected Cross site scripting (XSS) in portal pages
Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting XSS which can be used to inject malicious JS code if user click...