Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Frappe: Sensitive info can be stolen with crafted web requests
CVE-2026-29081
Summary
If not updated to Frappe versions 14.100.1 or 15.100.0, an attacker could access sensitive data, such as passwords or financial information, by sending a specially crafted request to the affected web application. This is a serious risk, as sensitive information could be compromised. Update to the latest version of Frappe to protect against this threat.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| frappe | frappe | <= 14.100.1 | – |
| frappe | frappe | > 15.0.0 , <= 15.100.0 | – |
Original title
Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malici...
Original description
Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0.
nvd CVSS3.1
6.5
Vulnerability type
CWE-89
SQL Injection
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026