Publishing security advisories using Github Security Advisory

Hello Community members,

Few months ago we started publishing security advisories using GitHub Security Advisories (GHSA). GHSA let’s us publish disclosures, assign CVEs and safely collaborate with reporters.

You can access them here: Security Advisories · frappe/frappe · GitHub


  • There was one recent critical vulnerability disclosure hence sharing it here. It’s highly recommended to keep your site up to date.
  • We will integrate these reports with Frappe Cloud too, so you can get alerts from single place.

Hello Ankush,

Thank you for this disclosure.

SQL Injection from reporting logic

If this is affecting V12,13 then how can it be solved without upgrading to V14 ?

Any plan to back port the patch ?

Your link seems to be broken. Here’s correct one: SQL Injection from reporting logic · Advisory · frappe/frappe · GitHub

There are no plans to backport to v13, v12. V12 has been EOL since long time :sweat_smile: