CVE-2026-29081
Published: 05 March 2026
Summary
CVE-2026-29081 is a medium-severity SQL Injection (CWE-89) vulnerability in Frappe Frappe. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-29081 is a SQL injection vulnerability (CWE-89) affecting the Frappe full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, a specific endpoint is vulnerable to injection through specially crafted requests, allowing attackers to extract sensitive information from the database. The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating network accessibility, low attack complexity, and high confidentiality impact.
The attack scenario requires low privileges (PR:L), enabling exploitation by authenticated users with minimal access rights. Attackers can remotely send crafted HTTP requests to the vulnerable endpoint without requiring user interaction, resulting in unauthorized extraction of sensitive data such as user records or configuration details, while leaving integrity and availability unaffected.
Frappe has patched the vulnerability in versions 14.100.1 and 15.100.0. Security practitioners should upgrade to these versions for mitigation. Additional details are available in the GitHub security advisory at https://github.com/frappe/frappe/security/advisories/GHSA-w3g7-m7xr-2w38.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9883
Vulnerability details
Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in…
more
versions 14.100.1 and 15.100.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web framework endpoint directly enables unauthorized extraction of sensitive data from the backend database by low-privileged authenticated users.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the vulnerable endpoint, blocking the specially crafted SQL payloads used in this CVE.
Mandates timely application of patches; the CVE is explicitly resolved by upgrading to Frappe 14.100.1 or 15.100.0.
Limits the data an authenticated low-privilege user can reach even if SQL injection succeeds, reducing the high confidentiality impact described.