CVE-2026-29081

Medium

Published: 05 March 2026

Published

05 March 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0004 12.7th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29081 is a medium-severity SQL Injection (CWE-89) vulnerability in Frappe Frappe. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Databases (T1213.006).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

SI-10 Information Input Validation

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

MITRE ATT&CK Enterprise TechniquesAI

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in web framework endpoint directly enables unauthorized extraction of sensitive data from the backend database by low-privileged authenticated users.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in…

versions 14.100.1 and 15.100.0.

Deeper analysisAI

CVE-2026-29081 is a SQL injection vulnerability (CWE-89) affecting the Frappe full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, a specific endpoint is vulnerable to injection through specially crafted requests, allowing attackers to extract sensitive information from the database. The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating network accessibility, low attack complexity, and high confidentiality impact.

The attack scenario requires low privileges (PR:L), enabling exploitation by authenticated users with minimal access rights. Attackers can remotely send crafted HTTP requests to the vulnerable endpoint without requiring user interaction, resulting in unauthorized extraction of sensitive data such as user records or configuration details, while leaving integrity and availability unaffected.

Frappe has patched the vulnerability in versions 14.100.1 and 15.100.0. Security practitioners should upgrade to these versions for mitigation. Additional details are available in the GitHub security advisory at https://github.com/frappe/frappe/security/advisories/GHSA-w3g7-m7xr-2w38.

Details

CWE(s): CWE-89

Affected Products

frappe

≤ 14.100.1 · 15.0.0 — 15.100.0

CVEs Like This One

CVE-2025-30217Same product: Frappe Frappe

CVE-2026-31877Same product: Frappe Frappe

CVE-2026-35614Same product: Frappe Frappe

CVE-2025-30212Same product: Frappe Frappe

CVE-2026-39351Same product: Frappe Frappe

CVE-2025-68929Same product: Frappe Frappe

CVE-2025-68953Same product: Frappe Frappe

CVE-2025-30213Same product: Frappe Frappe

CVE-2025-30214Same product: Frappe Frappe

CVE-2026-28436Same product: Frappe Frappe

References

https://github.com/frappe/frappe/security/advisories/GHSA-w3g7-m7xr-2w38
Vendor Advisory · security-advisories@github.com