Frappe Security Vulnerabilities (CVE)

Explore vulnerabilities and security advisories affecting Frappe products.

3 known CVE vulnerabilities tracked

Critical

High

Medium

Low

None

Vulnerabilities By Year

2025

Products Affected

Erpnext 1 Frappe Crm 1 Frappe 1

All Frappe CVEs

Recent Highest Score Oldest

CVE-2025-68929

9.0 critical

Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution.

Frappe Dec 29, 2025

CVE-2025-68928

5.4 medium

Frappe CRM is an open-source customer relationship management tool. Prior to version 1.56.2, authenticated users could set crafted URLs in a website field, which were not sanitized, causing cross-site scripting. Version 1.56.2 fixes the issue. No known workarounds are available.

Frappe Crm Dec 29, 2025

CVE-2025-67289

9.6 critical

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.

Erpnext Dec 22, 2025