Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

Untriaged
Filter by:
With package: nixos-artwork.wallpapers.nineish-catppuccin-frappe-alt

Found 9 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-35614
created 1 week, 1 day ago
Frappe has a SQL injection in bulk_update

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This vulnerability is fixed in 16.14.0 and 15.104.0.

Affected products

frappe
  • ==>= 16.0.0-beta.1, < 16.14.0
  • ==< 15.104.0

Matching in nixpkgs

Permalink CVE-2026-39351
created 1 week, 1 day ago
Frappe allows unrestricted Doctype access via API exploit

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.

Affected products

frappe
  • ==>= 16.0.0-beta.1, < 16.14.0
  • ==< 15.104.0

Matching in nixpkgs

Permalink CVE-2026-31878
5.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 month ago
Frappe: Possible SSRF by any authenticated user

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.

Affected products

frappe
  • ==>= 16.0.0, < 16.6.0
  • ==< 14.100.1
  • ==>= 15.0.0, < 15.100.0

Matching in nixpkgs

Permalink CVE-2026-31879
created 1 month ago
Frappe Workspace modification and stored XSS due to improper resource ownership checks

Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in 14.100.2, 15.101.0, and 16.10.0.

Affected products

frappe
  • ==< 16.10.0

Matching in nixpkgs

Permalink CVE-2026-31877
created 1 month ago
Frappe SQL Injection due to improper field sanitization

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.

Affected products

frappe
  • ==>= 15.0.0, < 15.84.0
  • ==< 14.99.0

Matching in nixpkgs

Permalink CVE-2026-29077
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 month, 1 week ago
Frappe: Broken Access Control in DocShare

Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0.

Affected products

frappe
  • ==< 15.98.0
  • ==< 14.100.0

Matching in nixpkgs

Permalink CVE-2026-29081
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 month, 1 week ago
Frappe: Possibility of SQL Injection due to improper fieldname sanitization

Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0.

Affected products

frappe
  • ==< 14.100.1
  • ==< 15.100.0

Matching in nixpkgs

Permalink CVE-2026-28436
created 1 month, 1 week ago
Frappe: Stored XSS in avatar_macro.html

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0.

Affected products

frappe
  • ==< 16.11.0
  • ==< 15.102.0

Matching in nixpkgs

Permalink CVE-2026-25956
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 2 months ago
Frappe Affected by XSS and Open Redirect in Sign Up

Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user signs up. This vulnerability is fixed in 14.99.14 and 15.94.0.

Affected products

frappe
  • ==>= 15.0.0, < 15.94.0
  • ==< 14.99.14

Matching in nixpkgs