{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41320", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T14:01:46.671Z", "datePublished": "2026-04-21T19:34:16.753Z", "dateUpdated": "2026-04-22T13:42:48.215Z"}, "containers": {"cna": {"title": "Frappe HR has possibility of SQL Injection due to improper field sanitization", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/frappe/hrms/security/advisories/GHSA-745c-5q8r-vgj2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/hrms/security/advisories/GHSA-745c-5q8r-vgj2"}], "affected": [{"vendor": "frappe", "product": "hrms", "versions": [{"version": "< 15.54.0", "status": "affected"}, {"version": "< 14.38.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:34:16.753Z"}, "descriptions": [{"lang": "en", "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-745c-5q8r-vgj2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:41:45.488033Z", "id": "CVE-2026-41320", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:42:48.215Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41320", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T13:41:45.488033Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:42:40.329Z"}}], "cna": {"title": "Frappe HR has possibility of SQL Injection due to improper field sanitization", "source": {"advisory": "GHSA-745c-5q8r-vgj2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "frappe", "product": "hrms", "versions": [{"status": "affected", "version": "< 15.54.0"}, {"status": "affected", "version": "< 14.38.1"}]}], "references": [{"url": "https://github.com/frappe/hrms/security/advisories/GHSA-745c-5q8r-vgj2", "name": "https://github.com/frappe/hrms/security/advisories/GHSA-745c-5q8r-vgj2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:34:16.753Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41320", "state": "PUBLISHED", "dateUpdated": "2026-04-22T13:42:48.215Z", "dateReserved": "2026-04-20T14:01:46.671Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:34:16.753Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available."}], "id": "CVE-2026-41320", "lastModified": "2026-04-21T20:17:03.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:03.797", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/frappe/hrms/security/advisories/GHSA-745c-5q8r-vgj2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,15.54.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,14.38.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "hrms", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-04-22T06:44:05.295631+00:00", "value": {"mitigation_remediation": ["Upgrade to Frappe HR version 15.54.0 or later, or 14.38.1 or later, to apply the SQL injection fix.", "If immediate upgrade is not feasible, restrict or disable the vulnerable endpoint by configuring firewall rules or application access controls to limit traffic to trusted IP addresses.", "Regularly review server logs for anomalous SQL queries or repeated injection attempts, and investigate any potential data exposure or unauthorized database access."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Frappe HRMS versions earlier than 15.54.0 and 14.38.1 are susceptible. The issue applies to the open\u2011source HR management solution maintained by the Frappe community.", "description_and_impact": "A specially crafted request to a specific Frappe HR endpoint can allow an attacker to inject SQL code, enabling unauthorized data extraction. The vulnerability is a typical SQL injection flaw (CWE\u201189). It does not compromise code execution or affect system integrity beyond data disclosure.", "risk_and_exploitability": "The CVSS score is 6.5, indicating a medium severity risk. No EPSS value is available, so the current exploitation probability is unknown, but the lack of a KEV listing does not preclude potential impact. Attacks would require sending a crafted request, and do not need privileged local access, implying a higher likelihood of exploitation if the endpoint is reachable."}}}}, "created": "2026-04-22T06:45:10.880010+00:00", "updated": "2026-04-22T11:45:29.859020+00:00", "vendors": ["frappe", "frappe$PRODUCT$hrms"]}