Description
Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/frappe/frappe/security/advisories/GHSA-5p8f-568f-vfq2
Patch x_refsource_misc
https://github.com/frappe/frappe/commit/93ee30c638bf7a7e33e2937a0adccac14c38b410
Patch x_refsource_misc
https://github.com/frappe/frappe/commit/c2b01e3eb6f50e9bd05df0440f5cbf5dfbc1badd
Scores
CVSS v3
8.8
EPSS
0.0004
EPSS Percentile
10.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
frappe/frappe
< 14.96.15
Published
Aug 20, 2025
Tracked Since
Feb 18, 2026