Refine your search
3 vulnerabilities found for hrms by frappe
CVE-2026-41320 (GCVE-0-2026-41320)
Vulnerability from cvelistv5
Published
2026-04-21 19:34
Modified
2026-04-22 13:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:41:45.488033Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:42:48.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hrms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.54.0"
},
{
"status": "affected",
"version": "\u003c 14.38.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn\u0027t otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:34:16.753Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/hrms/security/advisories/GHSA-745c-5q8r-vgj2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/hrms/security/advisories/GHSA-745c-5q8r-vgj2"
}
],
"source": {
"advisory": "GHSA-745c-5q8r-vgj2",
"discovery": "UNKNOWN"
},
"title": "Frappe HR has possibility of SQL Injection due to improper field sanitization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41320",
"datePublished": "2026-04-21T19:34:16.753Z",
"dateReserved": "2026-04-20T14:01:46.671Z",
"dateUpdated": "2026-04-22T13:42:48.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40889 (GCVE-0-2026-40889)
Vulnerability from cvelistv5
Published
2026-04-21 19:32
Modified
2026-04-22 13:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40889",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:29:58.366920Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:30:10.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hrms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 16.4.2"
},
{
"status": "affected",
"version": "\u003c 15.58.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:32:52.106Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/hrms/security/advisories/GHSA-6cg5-4q6m-vrgm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/hrms/security/advisories/GHSA-6cg5-4q6m-vrgm"
},
{
"name": "https://github.com/frappe/hrms/releases/tag/v15.58.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/hrms/releases/tag/v15.58.2"
},
{
"name": "https://github.com/frappe/hrms/releases/tag/v16.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/hrms/releases/tag/v16.4.2"
}
],
"source": {
"advisory": "GHSA-6cg5-4q6m-vrgm",
"discovery": "UNKNOWN"
},
"title": "Frappe HR has Improper Access Control on Files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40889",
"datePublished": "2026-04-21T19:32:52.106Z",
"dateReserved": "2026-04-15T16:37:22.766Z",
"dateUpdated": "2026-04-22T13:30:10.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40888 (GCVE-0-2026-40888)
Vulnerability from cvelistv5
Published
2026-04-21 19:28
Modified
2026-04-21 19:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:43:31.343136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:43:37.506Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hrms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.58.1"
},
{
"status": "affected",
"version": "\u003c 16.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:28:28.849Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx"
},
{
"name": "https://github.com/frappe/hrms/releases/tag/v15.58.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/hrms/releases/tag/v15.58.1"
},
{
"name": "https://github.com/frappe/hrms/releases/tag/v16.4.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/hrms/releases/tag/v16.4.1"
}
],
"source": {
"advisory": "GHSA-4375-7rxj-9hfx",
"discovery": "UNKNOWN"
},
"title": "Frappe HR vulnerable to Improper Access Control"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40888",
"datePublished": "2026-04-21T19:28:28.849Z",
"dateReserved": "2026-04-15T16:37:22.765Z",
"dateUpdated": "2026-04-21T19:43:37.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}