Description
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

A specially crafted request to a specific Frappe HR endpoint can allow an attacker to inject SQL code, enabling unauthorized data extraction. The vulnerability is a typical SQL injection flaw (CWE‑89). It does not compromise code execution or affect system integrity beyond data disclosure.

Affected Systems

Frappe HRMS versions earlier than 15.54.0 and 14.38.1 are susceptible. The issue applies to the open‑source HR management solution maintained by the Frappe community.

Risk and Exploitability

The CVSS score is 6.5, indicating a medium severity risk. No EPSS value is available, so the current exploitation probability is unknown, but the lack of a KEV listing does not preclude potential impact. Attacks would require sending a crafted request, and do not need privileged local access, implying a higher likelihood of exploitation if the endpoint is reachable.

Generated by OpenCVE AI on April 22, 2026 at 06:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Frappe HR version 15.54.0 or later, or 14.38.1 or later, to apply the SQL injection fix.
  • If immediate upgrade is not feasible, restrict or disable the vulnerable endpoint by configuring firewall rules or application access controls to limit traffic to trusted IP addresses.
  • Regularly review server logs for anomalous SQL queries or repeated injection attempts, and investigate any potential data exposure or unauthorized database access.

Generated by OpenCVE AI on April 22, 2026 at 06:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe hrms
Vendors & Products Frappe
Frappe hrms

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available.
Title Frappe HR has possibility of SQL Injection due to improper field sanitization
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Frappe Hrms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:42:48.215Z

Reserved: 2026-04-20T14:01:46.671Z

Link: CVE-2026-41320

cve-icon Vulnrichment

Updated: 2026-04-22T13:42:40.329Z

cve-icon NVD

Status : Received

Published: 2026-04-21T20:17:03.797

Modified: 2026-04-21T20:17:03.797

Link: CVE-2026-41320

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:29Z

Weaknesses