An endpoint in Frappe versions prior to 14.100.1 and 15.100.0 allows maliciously crafted requests to perform SQL injection, potentially enabling attackers to read or manipulate database contents. The flaw arises from inadequate sanitization of field names supplied by the user. This weakness (CWE‑89) can lead to the disclosure of sensitive data, violating confidentiality, and may be a first step toward further exploitation if additional vulnerabilities exist. The problem is confined to the specific endpoint and does not grant system‑wide privileges by itself, but the impact depends on the data accessible through the database.

The vulnerable product is the Frappe framework, available under the frappe:frappe umbrella. All releases before version 14.100.1 of the 14.x series and before 15.100.0 of the 15.x series are impacted. Deployments using these versions should immediately consider an upgrade.

The CVSS score of 6.5 classifies the vulnerability as Medium severity. The EPSS score is below 1 %, indicating that exploitation likelihood is low, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers would need to send crafted requests to the vulnerable endpoint, typically over HTTP(S), and would require network access to the application instance. While the risk is moderate, organizations running affected Frappe instances should treat the issue with urgency because the data at risk may be highly sensitive.