ERPNext Security Bulletin

This security bulletin contains detailed information about vulnerabilities affecting the Frappe Framework and ERPNext.


  • The listed vulnerabilities and exploits have been patched in all currently supported versions of Frappe.
  • The list is to be considered as a comprehensive compendium of all the vulnerabilities and exploits.
    • The disclosure of any valid reported issue will take place after 60 days from the reporting period.
    • If any of the issues fixed haven't been added to the list, please contact us regarding the same.
    • If you find any vulnerability or exploit in the system that needs to be fixed, please report it to us.
Reference Reported By Affected Applications Severity
CVE-2020-27508 Sayed Redha shubber Frappe V12 and V13 Critical
CVE-2020-35175 Mart Gil Robles Frappe Critical
CVE-2019-20529 Sayed Redha Shubber Frappe v11, Frappe v12 Critical
CVE-2019-14967 Netsparker Frappe Framework Moderate
CVE-2019-14965 Eugene Kolodenker Frappe, ERPNext Moderate
CVE-2019-14966 Eugene Kolodenker Frappe, ERPNext Critical
CVE-2019-7532 Mikhail Klyuchnikov Frappe v12 Moderate
CVE-2019-7528 Mikhail Klyuchnikov Frappe v12, ERPNext v12 Moderate
CVE-2019-7530 Mikhail Klyuchnikov Frappe v12, ERPNext v12 Important
CVE-2019-7533 Mikhail Klyuchnikov Frappe v12 Critical
CVE-2019-7531 Brian Hyde Frappe v11 Important
CVE-2019-7529 Anonymous Frappe v10 Moderate
CVE-2019-7534 Brian Hyde Frappe v10 Moderate
CVE-2019-7527 Kent Bayron Frappe v10, ERPNext v10 Moderate
CVE-2018-20207 felixvarghese Frappe v10 Moderate