CVE-2026-29081
HIGH WAF: High
CVSS 8.8
Published: 2026-03-05
CWE-89
Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0.
WAF Coverage Analysis
SQL Injection
High WAF Coverage
OWASP: A03:2021 Injection
942xxx - SQL Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| frappe | frappe | up to 14.100.1 |
| frappe | frappe | 15.0.0 - 15.100.0 |
References
- github.com (Vendor Advisory)