Unrated severityNVD Advisory· Published Mar 5, 2026· Updated Mar 6, 2026
Frappe: Possibility of SQL Injection due to improper fieldname sanitization
CVE-2026-29081
Description
Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0.
Affected products
2Patches
Vulnerability mechanics
References
1- github.com/frappe/frappe/security/advisories/GHSA-w3g7-m7xr-2w38mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.