CVE-2026-53568
CVE-2026-53568 is a stored XSS vulnerability in the Frappe Report/List View. This issue was patched in versions 15.107.2 and 16.17.4. The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity.
These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-53568 is a stored XSS vulnerability in the Frappe Report/List View. This issue was patched in versions 15.107.2 and 16.17.4. The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity.
CVE-2026-44976 is a vulnerability in Frappe, a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM.
CVE-2026-44975 is a vulnerability in Frappe, a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4. The CVSS score for this vulnerability is 5.3, with a severity of MEDIUM.
CVE-2026-44208 is a vulnerability in the Frappe full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, the 'submit_discussion()' endpoint lacked validations, allowing for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
CVE-2026-44207 is a Medium severity vulnerability in Frappe, a full-stack web application framework. The issue, classified as an Insecure Direct Object Reference (IDOR), allows authenticated users to access other users' email configuration details. This vulnerability existed prior to Frappe versions 15.107.0 and 16.17.0, which have addressed the issue. The Common Vulnerability Scoring System (CVSS) score [truncated]
CVE-2026-44206 is a MEDIUM severity vulnerability in Frappe, a full-stack web application framework. Versions prior to 15.107.2 and 16.17.4 are affected by a DB Schema Enumeration vulnerability through an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4. The vulnerability was published on [cvePublishedAt] and last modified on [cveModifiedAt].
CVE-2026-47739 is a MEDIUM severity vulnerability in Frappe, a full-stack web application framework. The vulnerability is due to lack of sanitization in Note, which allows for stored XSS. This issue has been patched in versions 15.106.0 and 16.16.0.
CVE-2026-44205 is a stored XSS vulnerability in the user profile image section of Frappe, a full-stack web application framework. This issue allows an attacker to execute malicious scripts in the browsers of other users. The vulnerability has been patched in version 15.106.0.
CVE-2026-41581 is a SQL Injection vulnerability in Frappe, a full-stack web application framework. The vulnerability is located in the `get_blog_list` function and has been patched in versions 15.106.0 and 16.16.0. The CVSS score for this vulnerability is 6.9, indicating a medium severity.
CVE-2026-46546 is a vulnerability in Frappe Learning Management System (LMS) prior to version 2.53.0. An authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors' browsers to navigate to an attacker-chosen URL. This issue has been patched in version 2.53.0. The CVSS score for this vulnerability is 2.1, indicating a low severity.
CVE-2026-45081 is a medium-severity improper authorization vulnerability in Frappe HR, an open-source human resources management solution. The flaw, present in versions prior to 16.5.0, allows authenticated employees to access other employees' leave details due to missing authorization checks. The vulnerability was disclosed on May 27, 2026, and has been assigned a CVSS 3.1 score of 6.5 (MEDIUM). The issu [truncated]
CVE-2026-39405 is a critical path traversal issue in Frappe Learning Management System (LMS). The advisory says a user with course editing privileges could upload a SCORM ZIP package and write files outside the intended directory. The issue is resolved in version 2.50.1.
CVE-2026-39352 is a high-severity path traversal issue in Frappe that can lead to arbitrary file read. According to the published advisory material, versions prior to 15.105.0 and 16.15.0 are affected, and the issue is resolved in 15.105.0 and 16.15.0. Because the weakness is classified as CWE-22 and the CVSS score is 8.7, this should be treated as a priority patching item for any exposed or internally re [truncated]