VYPR
Unrated severityNVD Advisory· Published Mar 5, 2026· Updated Mar 6, 2026

Frappe: Possibility of SQL Injection due to improper fieldname sanitization

CVE-2026-29081

Description

Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0.

Affected products

2
  • Frappe/Frappellm-fuzzy2 versions
    < 14.100.1, < 15.100.0+ 1 more
    • (no CPE)range: < 14.100.1, < 15.100.0
    • (no CPE)range: < 15.100.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.