Frappe up to 14.100.0/15.99.x sql injection

Summaryinfo

A vulnerability was found in Frappe up to 14.100.0/15.99.x. It has been rated as critical. Affected is an unknown function. Performing a manipulation results in sql injection. This vulnerability was named CVE-2026-29081. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is advised.

Detailsinfo

A vulnerability, which was classified as critical, was found in Frappe up to 14.100.0/15.99.x. This affects an unknown function. The manipulation with an unknown input leads to a sql injection vulnerability. CWE is classifying the issue as CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0.

The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2026-29081 since 03/03/2026. The exploitability is told to be easy. It is possible to initiate the attack remotely. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1505 for this issue.

Upgrading to version 14.100.1 or 15.100.0 eliminates this vulnerability.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Name

• Frappe

Version

• 14.100
• 15.0
• 15.1
• 15.2
• 15.3
• 15.4
• 15.5
• 15.6
• 15.7
• 15.8
• 15.9
• 15.10
• 15.11
• 15.12
• 15.13
• 15.14
• 15.15
• 15.16
• 15.17
• 15.18
• 15.19
• 15.20
• 15.21
• 15.22
• 15.23
• 15.24
• 15.25
• 15.26
• 15.27
• 15.28
• 15.29
• 15.30
• 15.31
• 15.32
• 15.33
• 15.34
• 15.35
• 15.36
• 15.37
• 15.38
• 15.39
• 15.40
• 15.41
• 15.42
• 15.43
• 15.44
• 15.45
• 15.46
• 15.47
• 15.48
• 15.49
• 15.50
• 15.51
• 15.52
• 15.53
• 15.54
• 15.55
• 15.56
• 15.57
• 15.58
• 15.59
• 15.60
• 15.61
• 15.62
• 15.63
• 15.64
• 15.65
• 15.66
• 15.67
• 15.68
• 15.69
• 15.70
• 15.71
• 15.72
• 15.73
• 15.74
• 15.75
• 15.76
• 15.77
• 15.78
• 15.79
• 15.80
• 15.81
• 15.82
• 15.83
• 15.84
• 15.85
• 15.86
• 15.87
• 15.88
• 15.89
• 15.90
• 15.91
• 15.92
• 15.93
• 15.94
• 15.95
• 15.96
• 15.97
• 15.98
• 15.99

Website

• Product: https://github.com/frappe/frappe/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion