We have received multiple VAPT observations for the Vault application built on Frappe Framework.
Some of the reported vulnerabilities appear to be related to framework-level behavior (e.g., command execution handling, session management, client-side libraries), while others may be specific to our custom implementation.
We would like your guidance on the following:
-
Should these issues be fixed within our custom app layer?
-
Or do any of these require core framework-level changes?
-
Is it recommended to override framework components, or should we wait for an official patch?
Kindly advise on the best approach to proceed with remediation.