Aggregates CVE and security vulnerability intelligence across all Frappe-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk sql injection, vendor risk path handling, vendor risk ssrf, and vendor risk open redirect, with potential vendor impact data exposure across vendor surface production workloads use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-44448 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 15.102.0 and 16.11.0. | [email protected] | 5.9 | 0.03% | 2026-05-13 | 2026-05-15 |
| CVE-2026-44447 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 16.9.0. | [email protected] | 8.8 | 0.06% | 2026-05-13 | 2026-05-14 |
| CVE-2026-44446 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 15.104.3 and 16.14.0. | [email protected] | 8.8 | 0.06% | 2026-05-13 | 2026-05-14 |
| CVE-2026-44445 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enables an authenticated attacker to read files from the local file system, including sensitive configuration files. This vulnerability is fixed in 15.104.3 and 16.12.0. | [email protected] | 5.3 | 0.05% | 2026-05-13 | 2026-05-14 |
| CVE-2026-44442 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1. | [email protected] | 9.9 | 0.04% | 2026-05-13 | 2026-05-14 |
| CVE-2026-44441 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 15.106.0 and 16.16.0. | [email protected] | 5.0 | 0.02% | 2026-05-13 | 2026-05-14 |
| CVE-2026-44440 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability on an endpoint allows an authenticated adjacent attacker to read arbitrary files. This vulnerability is fixed in 15.101.1 and 16.10.0. | [email protected] | 6.5 | 0.05% | 2026-05-13 | 2026-05-14 |
| CVE-2026-38432 | ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied. | [email protected] | 6.1 | 0.02% | 2026-05-05 | 2026-05-08 |
| CVE-2026-38431 | ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered. | [email protected] | 9.8 | 0.06% | 2026-05-05 | 2026-05-08 |
| CVE-2023-54345 | Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the gi_frame attribute to traverse the call stack and invoke os.popen to execute system commands. | [email protected] | 8.7 | 0.10% | 2026-05-05 | 2026-05-05 |
| CVE-2026-41430 | Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only. | [email protected] | 1.3 | 0.03% | 2026-04-24 | 2026-04-30 |
| CVE-2026-41317 | Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST. | [email protected] | 6.6 | 0.02% | 2026-04-24 | 2026-04-30 |
| CVE-2026-3837 | An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping This issue affects Frappe: 16.10.0. | [email protected] | 4.6 | 0.03% | 2026-04-22 | 2026-05-14 |
| CVE-2026-3673 | An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping. This issue affects Frappe: 16.10.10. | [email protected] | 4.6 | 0.03% | 2026-04-22 | 2026-05-12 |
| CVE-2026-41320 | Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available. | [email protected] | 6.5 | 0.03% | 2026-04-21 | 2026-04-27 |
| CVE-2026-40889 | Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available. | [email protected] | 6.5 | 0.03% | 2026-04-21 | 2026-04-27 |
| CVE-2026-40888 | Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available. | [email protected] | 6.5 | 0.03% | 2026-04-21 | 2026-04-27 |
| CVE-2026-39415 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated scores, which can be altered using browser developer tools prior to sending the submission request. While this does not allow modification of other users’ data or privilege escalation, it compromises t | [email protected] | 5.3 | 0.04% | 2026-04-08 | 2026-04-13 |
| CVE-2026-31017 | A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this be | [email protected] | 9.1 | 0.02% | 2026-04-08 | 2026-04-14 |
| CVE-2026-39351 | Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit. | [email protected] | 6.9 | 0.04% | 2026-04-07 | 2026-04-10 |