PatchSiren

frappe CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM frappe CVE published 2026-06-12

CVE-2026-53568

CVE-2026-53568 is a stored XSS vulnerability in the Frappe Report/List View. This issue was patched in versions 15.107.2 and 16.17.4. The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity.

MEDIUM frappe CVE published 2026-06-12

CVE-2026-44976

CVE-2026-44976 is a vulnerability in Frappe, a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM.

MEDIUM frappe CVE published 2026-06-12

CVE-2026-44975

CVE-2026-44975 is a vulnerability in Frappe, a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4. The CVSS score for this vulnerability is 5.3, with a severity of MEDIUM.

MEDIUM frappe CVE published 2026-06-12

CVE-2026-44208

CVE-2026-44208 is a vulnerability in the Frappe full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, the 'submit_discussion()' endpoint lacked validations, allowing for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.

MEDIUM frappe CVE published 2026-06-12

CVE-2026-44207

CVE-2026-44207 is a Medium severity vulnerability in Frappe, a full-stack web application framework. The issue, classified as an Insecure Direct Object Reference (IDOR), allows authenticated users to access other users' email configuration details. This vulnerability existed prior to Frappe versions 15.107.0 and 16.17.0, which have addressed the issue. The Common Vulnerability Scoring System (CVSS) score [truncated]

MEDIUM frappe CVE published 2026-06-12

CVE-2026-44206

CVE-2026-44206 is a MEDIUM severity vulnerability in Frappe, a full-stack web application framework. Versions prior to 15.107.2 and 16.17.4 are affected by a DB Schema Enumeration vulnerability through an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4. The vulnerability was published on [cvePublishedAt] and last modified on [cveModifiedAt].

MEDIUM frappe CVE published 2026-06-12

CVE-2026-47739

CVE-2026-47739 is a MEDIUM severity vulnerability in Frappe, a full-stack web application framework. The vulnerability is due to lack of sanitization in Note, which allows for stored XSS. This issue has been patched in versions 15.106.0 and 16.16.0.

MEDIUM frappe CVE published 2026-06-12

CVE-2026-44205

CVE-2026-44205 is a stored XSS vulnerability in the user profile image section of Frappe, a full-stack web application framework. This issue allows an attacker to execute malicious scripts in the browsers of other users. The vulnerability has been patched in version 15.106.0.

MEDIUM frappe CVE published 2026-06-12

CVE-2026-41581

CVE-2026-41581 is a SQL Injection vulnerability in Frappe, a full-stack web application framework. The vulnerability is located in the `get_blog_list` function and has been patched in versions 15.106.0 and 16.16.0. The CVSS score for this vulnerability is 6.9, indicating a medium severity.

LOW Frappe CVE published 2026-06-10

CVE-2026-46546

CVE-2026-46546 is a vulnerability in Frappe Learning Management System (LMS) prior to version 2.53.0. An authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors' browsers to navigate to an attacker-chosen URL. This issue has been patched in version 2.53.0. The CVSS score for this vulnerability is 2.1, indicating a low severity.

MEDIUM frappe CVE published 2026-05-27

CVE-2026-45081

CVE-2026-45081 is a medium-severity improper authorization vulnerability in Frappe HR, an open-source human resources management solution. The flaw, present in versions prior to 16.5.0, allows authenticated employees to access other employees' leave details due to missing authorization checks. The vulnerability was disclosed on May 27, 2026, and has been assigned a CVSS 3.1 score of 6.5 (MEDIUM). The issu [truncated]

CRITICAL frappe CVE published 2026-05-20

CVE-2026-39405

CVE-2026-39405 is a critical path traversal issue in Frappe Learning Management System (LMS). The advisory says a user with course editing privileges could upload a SCORM ZIP package and write files outside the intended directory. The issue is resolved in version 2.50.1.

HIGH frappe CVE published 2026-05-20

CVE-2026-39352

CVE-2026-39352 is a high-severity path traversal issue in Frappe that can lead to arbitrary file read. According to the published advisory material, versions prior to 15.105.0 and 16.15.0 are affected, and the issue is resolved in 15.105.0 and 16.15.0. Because the weakness is classified as CWE-22 and the CVSS score is 8.7, this should be treated as a priority patching item for any exposed or internally re [truncated]