CVE-2026-29081
Received Received - Intake
SQL Injection in Frappe Framework Endpoint Allows Data Exposure

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: GitHub, Inc.

Description
Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29081
EUVD
EUVD-2026-9883
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
frappe frappe to 14.100.1 (exc)
frappe frappe From 15.0.0 (inc) to 15.100.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29081 is a moderate severity SQL injection vulnerability in the Frappe web application framework versions prior to 14.100.1 and 15.100.0.

The vulnerability occurs because of improper sanitization of field names in SQL queries, which allows specially crafted requests to inject malicious SQL code.

This means an attacker can manipulate the SQL commands executed by the application to extract sensitive information from the database.

The attack does not require user interaction and can be performed remotely over the network with low complexity, although low privileges are needed.

The issue is identified as CWE-89, which involves improper neutralization of special elements in SQL commands.

The vulnerability has been fixed by upgrading to versions 14.100.1 or 15.100.0 of Frappe.

Impact Analysis

This vulnerability can allow an attacker to extract sensitive information from your database without your knowledge.

Since the confidentiality impact is high, sensitive data such as user information, credentials, or business data could be exposed.

However, the vulnerability does not affect the integrity or availability of the system, meaning it does not allow data modification or denial of service.

The attack can be performed remotely with low complexity and requires only low privileges, increasing the risk of exploitation.

To mitigate this risk, it is necessary to upgrade to the patched versions 14.100.1 or 15.100.0.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you must upgrade the frappe package to version 14.100.1 or 15.100.0 or later.

There are no workarounds available, so applying the patch by upgrading is the only effective mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart