{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29081", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T20:51:43.483Z", "datePublished": "2026-03-05T20:23:13.490Z", "dateUpdated": "2026-03-06T17:02:00.462Z"}, "containers": {"cna": {"title": "Frappe: Possibility of SQL Injection due to improper fieldname sanitization", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/frappe/frappe/security/advisories/GHSA-w3g7-m7xr-2w38", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-w3g7-m7xr-2w38"}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"version": "< 15.100.0", "status": "affected"}, {"version": "< 14.100.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:23:13.490Z"}, "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0."}], "source": {"advisory": "GHSA-w3g7-m7xr-2w38", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T17:01:52.901429Z", "id": "CVE-2026-29081", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:02:00.462Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29081", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T17:01:52.901429Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:01:56.754Z"}}], "cna": {"title": "Frappe: Possibility of SQL Injection due to improper fieldname sanitization", "source": {"advisory": "GHSA-w3g7-m7xr-2w38", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"status": "affected", "version": "< 15.100.0"}, {"status": "affected", "version": "< 14.100.1"}]}], "references": [{"url": "https://github.com/frappe/frappe/security/advisories/GHSA-w3g7-m7xr-2w38", "name": "https://github.com/frappe/frappe/security/advisories/GHSA-w3g7-m7xr-2w38", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:23:13.490Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29081", "state": "PUBLISHED", "dateUpdated": "2026-03-06T17:02:00.462Z", "dateReserved": "2026-03-03T20:51:43.483Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T20:23:13.490Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "matchCriteriaId": "D29871FA-D57A-4071-B42F-3851E949A7EA", "versionEndExcluding": "14.100.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "matchCriteriaId": "61BD0398-8BC6-42D8-A28E-460D741A5285", "versionEndIncluding": "15.100.0", "versionStartIncluding": "15.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0."}, {"lang": "es", "value": "Frappe es un framework de aplicaci\u00f3n web full-stack. Antes de las versiones 14.100.1 y 15.100.0, un endpoint era vulnerable a inyecci\u00f3n SQL a trav\u00e9s de solicitudes especialmente dise\u00f1adas, lo que permitir\u00eda a un actor malicioso extraer informaci\u00f3n sensible. Este problema ha sido parcheado en las versiones 14.100.1 y 15.100.0."}], "id": "CVE-2026-29081", "lastModified": "2026-03-09T18:44:27.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-05T21:16:22.947", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-w3g7-m7xr-2w38"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,15.100.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,14.100.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "frappe", "source": "cna", "vendor": "frappe"}, "product": "frappe", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-04-16T12:08:56.353556+00:00", "value": {"mitigation_remediation": ["Upgrade the Frappe framework to version 14.100.1 or newer, or to version 15.100.0 or newer, which contain the fix for the injection flaw.", "If an upgrade cannot be performed immediately, restrict network access to the vulnerable endpoint or disable it entirely to prevent exposed injection points.", "Implement server\u2011side input validation and sanitization for all incoming field names in accordance with OWASP GUIDELINES to mitigate similar injection weaknesses."], "summary": {"action": "Apply Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The vulnerable product is the Frappe framework, available under the frappe:frappe umbrella. All releases before version 14.100.1 of the 14.x series and before 15.100.0 of the 15.x series are impacted. Deployments using these versions should immediately consider an upgrade.", "description_and_impact": "An endpoint in Frappe versions prior to 14.100.1 and 15.100.0 allows maliciously crafted requests to perform SQL injection, potentially enabling attackers to read or manipulate database contents. The flaw arises from inadequate sanitization of field names supplied by the user. This weakness (CWE\u201189) can lead to the disclosure of sensitive data, violating confidentiality, and may be a first step toward further exploitation if additional vulnerabilities exist. The problem is confined to the specific endpoint and does not grant system\u2011wide privileges by itself, but the impact depends on the data accessible through the database.", "risk_and_exploitability": "The CVSS score of 6.5 classifies the vulnerability as Medium severity. The EPSS score is below 1\u202f%, indicating that exploitation likelihood is low, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers would need to send crafted requests to the vulnerable endpoint, typically over HTTP(S), and would require network access to the application instance. While the risk is moderate, organizations running affected Frappe instances should treat the issue with urgency because the data at risk may be highly sensitive."}}}}, "created": "2026-03-06T15:01:00.044407+00:00", "updated": "2026-04-16T12:15:35.091212+00:00", "vendors": ["frappe", "frappe$PRODUCT$frappe"]}