VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-41581

CVE-2026-41581

Description

SQL injection vulnerability in Frappe's get_blog_list function allows attackers to execute arbitrary SQL queries.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection vulnerability in Frappe's get_blog_list function allows attackers to execute arbitrary SQL queries.

Vulnerability

A SQL injection vulnerability exists in Frappe's get_blog_list function. This affects Frappe Framework versions prior to 15.106.0 and 16.16.0. In version 16, the blog functionality was separated into a separate Frappe Blog module, but the vulnerability still applies to the framework versions listed. The exact conditions required for exploitation are not fully detailed in the advisory, but the function is reachable via web requests. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted request to the get_blog_list endpoint with malicious SQL payloads. The advisory does not specify authentication requirements, but if the endpoint is publicly accessible, no prior authentication is needed. The exploitation steps are not publicly disclosed in the available reference. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the underlying database. This could lead to unauthorized access to sensitive data, data modification, or other database-level compromises. The exact scope depends on the database permissions of the application user. [1]

Mitigation

The issue has been patched in Frappe Framework versions 15.106.0 and 16.16.0. Users should update to these versions or later. No workarounds are available. [1]

References
  1. Possible SQL Injection via get_blog_list

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Frappe/Frappeinferred2 versions
    <15.106.0 || >=16.0,<16.16.0+ 1 more
    • (no CPE)range: <15.106.0 || >=16.0,<16.16.0
    • (no CPE)range: <15.106.0, <16.16.0

Patches

2
0f5a3c549e73

chore(release): Bumped to Version 15.106.0

https://github.com/frappe/frappeFrappe PR BotApr 21, 2026Fixed in 15.106.0via release-tag
commit
1 file changed · +1 1
  • frappe/__init__.py+1 1 modified
    @@ -51,7 +51,7 @@
 )
 from .utils.lazy_loader import lazy_import
 
-__version__ = "15.105.0"
+__version__ = "15.106.0"
 __title__ = "Frappe Framework"
 
 # This if block is never executed when running the code. It is only used for
cbde93c3a931

chore(release): Bumped to Version 16.16.0

https://github.com/frappe/frappeFrappe PR BotApr 21, 2026Fixed in 16.16.0via release-tag
commit
1 file changed · +1 1
  • frappe/__init__.py+1 1 modified
    @@ -55,7 +55,7 @@
 	render_template,
 )
 
-__version__ = "16.15.0"
+__version__ = "16.16.0"
 __title__ = "Frappe Framework"
 
 if TYPE_CHECKING:  # pragma: no cover

Vulnerability mechanics

Root cause

"Missing input sanitization in the `get_blog_list` function allows an attacker to inject SQL clauses via unsanitized parameters."

Attack vector

An attacker can send a crafted request to the `get_blog_list` endpoint with malicious SQL fragments embedded in parameters such as filters or order-by clauses. Because the framework does not properly sanitize these inputs before constructing the database query, the injected SQL is executed by the database engine. The attack requires no special privileges beyond network access to a Frappe application that exposes the blog listing functionality. The injected payload can extract, modify, or delete arbitrary data from the database depending on the database user's permissions.

Affected code

The vulnerability resides in the `get_blog_list` function within the Frappe framework. The patch files only show version bumps in `frappe/__init__.py`; the actual code fix for the SQL injection is not included in the provided diff hunks.

What the fix does

The patches shown are version-bump commits for releases 15.106.0 and 16.16.0, which increment the version strings in `frappe/__init__.py`. The actual SQL injection fix in `get_blog_list` is not visible in these diff hunks; the advisory states the fix was included in these releases. The remediation ensures that user-supplied parameters passed to `get_blog_list` are properly parameterized or escaped before being interpolated into SQL queries, preventing injection.

Preconditions

  • networkNetwork access to a Frappe application exposing the blog listing endpoint.
  • inputAbility to supply crafted parameters (e.g., filters, order-by clauses) to the get_blog_list function.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.