Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Frappe

Source -

CNA

CNA CVEs -

4

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
4Vulnerabilities found
CVE-2026-3837
Assigner-Fluid Attacks
ShareView Details
Assigner-Fluid Attacks
CVSS Score-4.6||MEDIUM
EPSS-0.03% / 9.96%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 19:52
Updated-14 May, 2026 | 21:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping This issue affects Frappe: 16.10.0.

Action-Not Available
Vendor-frappeFrappe
Product-frappeFrappe
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-3673
Assigner-Fluid Attacks
ShareView Details
Assigner-Fluid Attacks
CVSS Score-4.6||MEDIUM
EPSS-0.04% / 11.70%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 19:32
Updated-12 May, 2026 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe Framework 16.10.0 - Stored DOM XSS in Tag Pill Renderer

An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping. This issue affects Frappe: 16.10.10.

Action-Not Available
Vendor-frappeFrappe
Product-frappeFrappe
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-41712
Assigner-Fluid Attacks
ShareView Details
Assigner-Fluid Attacks
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 62.69%
||
7 Day CHG+0.04%
Published-25 Nov, 2022 | 00:00
Updated-29 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter.

Action-Not Available
Vendor-frappen/a
Product-frappeFrappe
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-3988
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.32% / 55.03%
||
7 Day CHG~0.00%
Published-14 Nov, 2022 | 00:00
Updated-15 Apr, 2025 | 13:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe Search navbar_search.html cross site scripting

A vulnerability was found in Frappe. It has been rated as problematic. Affected by this issue is some unknown functionality of the file frappe/templates/includes/navbar/navbar_search.html of the component Search. The manipulation of the argument q leads to cross site scripting. The attack may be launched remotely. The name of the patch is bfab7191543961c6cb77fe267063877c31b616ce. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-213560.

Action-Not Available
Vendor-frappeunspecified
Product-frappeFrappe
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')