Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for hrms by frappe

    CVE-2026-45081 (GCVE-0-2026-45081)

    Vulnerability from nvd – Published: 2026-05-27 17:18 – Updated: 2026-05-27 18:26
    VLAI
    Title
    Frappe HR: Permission Bypass in HRMS Leave Details API
    Summary
    Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe hrms Affected: < 16.5.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45081",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T18:25:16.494173Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T18:26:47.576Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hrms",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees\u2019 leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T17:18:53.600Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/hrms/security/advisories/GHSA-9jpf-5vrm-hpcj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/hrms/security/advisories/GHSA-9jpf-5vrm-hpcj"
            }
          ],
          "source": {
            "advisory": "GHSA-9jpf-5vrm-hpcj",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe HR: Permission Bypass in HRMS Leave Details API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45081",
        "datePublished": "2026-05-27T17:18:53.600Z",
        "dateReserved": "2026-05-08T18:45:10.097Z",
        "dateUpdated": "2026-05-27T18:26:47.576Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41320 (GCVE-0-2026-41320)

    Vulnerability from nvd – Published: 2026-04-21 19:34 – Updated: 2026-04-22 13:42
    VLAI
    Title
    Frappe HR has possibility of SQL Injection due to improper field sanitization
    Summary
    Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe hrms Affected: < 15.54.0
    Affected: < 14.38.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41320",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T13:41:45.488033Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T13:42:48.215Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hrms",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.54.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 14.38.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn\u0027t otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T19:34:16.753Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/hrms/security/advisories/GHSA-745c-5q8r-vgj2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/hrms/security/advisories/GHSA-745c-5q8r-vgj2"
            }
          ],
          "source": {
            "advisory": "GHSA-745c-5q8r-vgj2",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe HR has possibility of SQL Injection due to improper field sanitization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41320",
        "datePublished": "2026-04-21T19:34:16.753Z",
        "dateReserved": "2026-04-20T14:01:46.671Z",
        "dateUpdated": "2026-04-22T13:42:48.215Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40889 (GCVE-0-2026-40889)

    Vulnerability from nvd – Published: 2026-04-21 19:32 – Updated: 2026-04-22 13:30
    VLAI
    Title
    Frappe HR has Improper Access Control on Files
    Summary
    Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    frappe hrms Affected: < 16.4.2
    Affected: < 15.58.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40889",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T13:29:58.366920Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T13:30:10.795Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hrms",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.4.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 15.58.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T19:32:52.106Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/hrms/security/advisories/GHSA-6cg5-4q6m-vrgm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/hrms/security/advisories/GHSA-6cg5-4q6m-vrgm"
            },
            {
              "name": "https://github.com/frappe/hrms/releases/tag/v15.58.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/hrms/releases/tag/v15.58.2"
            },
            {
              "name": "https://github.com/frappe/hrms/releases/tag/v16.4.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/hrms/releases/tag/v16.4.2"
            }
          ],
          "source": {
            "advisory": "GHSA-6cg5-4q6m-vrgm",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe HR has Improper Access Control on Files"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40889",
        "datePublished": "2026-04-21T19:32:52.106Z",
        "dateReserved": "2026-04-15T16:37:22.766Z",
        "dateUpdated": "2026-04-22T13:30:10.795Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40888 (GCVE-0-2026-40888)

    Vulnerability from nvd – Published: 2026-04-21 19:28 – Updated: 2026-04-21 19:43
    VLAI
    Title
    Frappe HR vulnerable to Improper Access Control
    Summary
    Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    frappe hrms Affected: < 15.58.1
    Affected: < 16.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40888",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-21T19:43:31.343136Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-21T19:43:37.506Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hrms",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.58.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 16.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T19:28:28.849Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx"
            },
            {
              "name": "https://github.com/frappe/hrms/releases/tag/v15.58.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/hrms/releases/tag/v15.58.1"
            },
            {
              "name": "https://github.com/frappe/hrms/releases/tag/v16.4.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/hrms/releases/tag/v16.4.1"
            }
          ],
          "source": {
            "advisory": "GHSA-4375-7rxj-9hfx",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe HR vulnerable to Improper Access Control"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40888",
        "datePublished": "2026-04-21T19:28:28.849Z",
        "dateReserved": "2026-04-15T16:37:22.765Z",
        "dateUpdated": "2026-04-21T19:43:37.506Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45081 (GCVE-0-2026-45081)

    Vulnerability from cvelistv5 – Published: 2026-05-27 17:18 – Updated: 2026-05-27 18:26
    VLAI
    Title
    Frappe HR: Permission Bypass in HRMS Leave Details API
    Summary
    Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe hrms Affected: < 16.5.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45081",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T18:25:16.494173Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T18:26:47.576Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hrms",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees\u2019 leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T17:18:53.600Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/hrms/security/advisories/GHSA-9jpf-5vrm-hpcj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/hrms/security/advisories/GHSA-9jpf-5vrm-hpcj"
            }
          ],
          "source": {
            "advisory": "GHSA-9jpf-5vrm-hpcj",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe HR: Permission Bypass in HRMS Leave Details API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45081",
        "datePublished": "2026-05-27T17:18:53.600Z",
        "dateReserved": "2026-05-08T18:45:10.097Z",
        "dateUpdated": "2026-05-27T18:26:47.576Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41320 (GCVE-0-2026-41320)

    Vulnerability from cvelistv5 – Published: 2026-04-21 19:34 – Updated: 2026-04-22 13:42
    VLAI
    Title
    Frappe HR has possibility of SQL Injection due to improper field sanitization
    Summary
    Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe hrms Affected: < 15.54.0
    Affected: < 14.38.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41320",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T13:41:45.488033Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T13:42:48.215Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hrms",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.54.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 14.38.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn\u0027t otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T19:34:16.753Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/hrms/security/advisories/GHSA-745c-5q8r-vgj2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/hrms/security/advisories/GHSA-745c-5q8r-vgj2"
            }
          ],
          "source": {
            "advisory": "GHSA-745c-5q8r-vgj2",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe HR has possibility of SQL Injection due to improper field sanitization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41320",
        "datePublished": "2026-04-21T19:34:16.753Z",
        "dateReserved": "2026-04-20T14:01:46.671Z",
        "dateUpdated": "2026-04-22T13:42:48.215Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40889 (GCVE-0-2026-40889)

    Vulnerability from cvelistv5 – Published: 2026-04-21 19:32 – Updated: 2026-04-22 13:30
    VLAI
    Title
    Frappe HR has Improper Access Control on Files
    Summary
    Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    frappe hrms Affected: < 16.4.2
    Affected: < 15.58.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40889",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T13:29:58.366920Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T13:30:10.795Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hrms",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.4.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 15.58.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T19:32:52.106Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/hrms/security/advisories/GHSA-6cg5-4q6m-vrgm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/hrms/security/advisories/GHSA-6cg5-4q6m-vrgm"
            },
            {
              "name": "https://github.com/frappe/hrms/releases/tag/v15.58.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/hrms/releases/tag/v15.58.2"
            },
            {
              "name": "https://github.com/frappe/hrms/releases/tag/v16.4.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/hrms/releases/tag/v16.4.2"
            }
          ],
          "source": {
            "advisory": "GHSA-6cg5-4q6m-vrgm",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe HR has Improper Access Control on Files"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40889",
        "datePublished": "2026-04-21T19:32:52.106Z",
        "dateReserved": "2026-04-15T16:37:22.766Z",
        "dateUpdated": "2026-04-22T13:30:10.795Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40888 (GCVE-0-2026-40888)

    Vulnerability from cvelistv5 – Published: 2026-04-21 19:28 – Updated: 2026-04-21 19:43
    VLAI
    Title
    Frappe HR vulnerable to Improper Access Control
    Summary
    Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    frappe hrms Affected: < 15.58.1
    Affected: < 16.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40888",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-21T19:43:31.343136Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-21T19:43:37.506Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hrms",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.58.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 16.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T19:28:28.849Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx"
            },
            {
              "name": "https://github.com/frappe/hrms/releases/tag/v15.58.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/hrms/releases/tag/v15.58.1"
            },
            {
              "name": "https://github.com/frappe/hrms/releases/tag/v16.4.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/hrms/releases/tag/v16.4.1"
            }
          ],
          "source": {
            "advisory": "GHSA-4375-7rxj-9hfx",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe HR vulnerable to Improper Access Control"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40888",
        "datePublished": "2026-04-21T19:28:28.849Z",
        "dateReserved": "2026-04-15T16:37:22.765Z",
        "dateUpdated": "2026-04-21T19:43:37.506Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }