Description
Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, there is a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to perform an SQL injection via the get_blog_list endpoint, potentially injecting arbitrary SQL statements into the database. If exploited, the attacker can exfiltrate sensitive data, alter or delete database records, or disrupt application functionality. The weakness stems from improper handling of user input as identified by CWE‑89.

Affected Systems

Affected products include the Frappe framework for versions earlier than 15.106.0 and 16.16.0. The issue was addressed in 15.106.0 and 16.16.0, so any deployment running an earlier release is vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity impact. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is an unauthenticated or authenticated HTTP GET request to the get_blog_list route, where the application fails to sanitize or parameterize user input.

Generated by OpenCVE AI on June 12, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frappe instance to version 15.106.0 or newer, or 16.16.0 or newer, to apply the fixed code that properly sanitizes the query.
  • If an immediate upgrade is not possible, limit access to the get_blog_list endpoint by configuring firewalls or application-level access controls, ensuring only trusted users can reach it.
  • Enable auditing or logging of database queries to detect any suspicious activity indicative of injection attempts.

Generated by OpenCVE AI on June 12, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, there is a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0.
Title Frappe Vulnerable to Possible SQL Injection via get_blog_list
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T14:56:53.836Z

Reserved: 2026-04-21T14:15:21.958Z

Link: CVE-2026-41581

cve-icon Vulnrichment

Updated: 2026-06-12T14:56:45.514Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T15:16:25.723

Modified: 2026-06-12T15:56:54.563

Link: CVE-2026-41581

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:30:31Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')