{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35614", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T21:25:12.163Z", "datePublished": "2026-04-07T16:42:12.740Z", "dateUpdated": "2026-04-07T16:42:12.740Z"}, "containers": {"cna": {"title": "Frappe has a SQL injection in bulk_update", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/frappe/frappe/security/advisories/GHSA-583g-fg76-fhfr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-583g-fg76-fhfr"}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"version": "< 15.104.0", "status": "affected"}, {"version": ">= 16.0.0-beta.1, < 16.14.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:42:12.740Z"}, "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This vulnerability is fixed in 16.14.0 and 15.104.0."}], "source": {"advisory": "GHSA-583g-fg76-fhfr", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This vulnerability is fixed in 16.14.0 and 15.104.0."}], "id": "CVE-2026-35614", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T17:16:35.753", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/frappe/frappe/security/advisories/GHSA-583g-fg76-fhfr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,15.104.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.0-beta.1,16.14.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "frappe", "source": "cna", "vendor": "frappe"}, "product": "frappe", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-04-07T23:18:46.570826+00:00", "value": {"mitigation_remediation": ["Update Frappe to version 16.14.0 or later, or to version 15.104.0 or later, to remove the vulnerable code. If an upgrade cannot be performed immediately, restrict access to the bulk_update API or disable it entirely until a patch is applied. After patching, audit database access logs for any unauthorized changes that may have occurred before mitigation."], "summary": {"action": "Immediate Patch", "impact": "Data Compromise via SQL injection"}, "threat_synthesis": {"affected_systems": "Affected are deployments of the Frappe framework under the vendor name frappe. Versions before 16.14.0 and before 15.104.0 are vulnerable. All installations using the bulk_update functionality without the patch are at risk.", "description_and_impact": "The vulnerability is a classic SQL injection in the bulk_update feature of the Frappe framework. An attacker capable of supplying crafted input to this endpoint can execute arbitrary SQL statements against the database, potentially reading sensitive data, modifying records, or even achieving remote code execution if the database privileges allow it. This type of flaw is classified as CWE\u201189 and can severely compromise confidentiality and integrity of the system.", "risk_and_exploitability": "The CVSS score of 9.3 indicates critical severity, meaning the flaw could be exploited with high impact. EPSS data is not available, so the likelihood of exploitation in the wild is currently unknown. The advisory does not list this CVE in the CISA KEV catalog, but its high score and ability to return or modify arbitrary data warrant prompt action. The attack vector is likely through authenticated users who can call the bulk_update API; therefore, control of that endpoint is essential for mitigation."}}}}, "created": "2026-04-08T19:36:43.811811+00:00", "updated": "2026-04-08T19:47:47.014817+00:00", "vendors": ["frappe", "frappe$PRODUCT$frappe"]}