Akhil Narang

8 exploits Active since Mar 2025
CVE-2025-30212 WRITEUP HIGH WRITEUP
Frappe Framework <14.89.0, <15.51.0 - SQL Injection
Frappe is a full-stack web application framework. An SQL Injection vulnerability has been identified in Frappe Framework prior to versions 14.89.0 and 15.51.0 which could allow a malicious actor to access sensitive information. Versions 14.89.0 and 15.51.0 fix the issue. Upgrading is required; no other workaround is present.
CVSS 7.5
CVE-2025-52895 WRITEUP HIGH WRITEUP
Frappe < 14.94.3 - SQL Injection
Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There are no workarounds for this issue other than upgrading.
CVSS 7.5
CVE-2025-52898 WRITEUP HIGH WRITEUP
Frappe < 14.94.3 - Information Disclosure
Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users.
CVSS 8.8
CVE-2025-55731 WRITEUP HIGH WRITEUP
Frappe <15.74.2, <14.96.15 - Info Disclosure
Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15.
CVSS 8.8
CVE-2025-55732 WRITEUP HIGH WRITEUP
Frappe <15.74.2,14.96.15 - SQL Injection
Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released for CVE-2025-52895. This vulnerability is fixed in 15.74.2 and 14.96.15.
CVSS 7.5
CVE-2025-66205 WRITEUP HIGH WRITEUP
Frappe <15.86.0-14.99.2 - SQL Injection
Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2.
CVSS 7.1
CVE-2025-68953 WRITEUP HIGH WRITEUP
Frappe <14.99.5 & 15.0-15.80.1 - Path Traversal
Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. Arbitrary files from the server could be retrieved due to a lack of proper sanitization on some requests. This issue is fixed in versions 14.99.6 and 15.88.1. To workaround, changing the setup to use a reverse proxy is recommended.
CVSS 7.5
CVE-2026-25956 WRITEUP MEDIUM WRITEUP
Frappe <14.99.14-15.94.0 - Open Redirect
Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user signs up. This vulnerability is fixed in 14.99.14 and 15.94.0.
CVSS 6.1