SQL Injection Vulnerability in Frappe Framework by Frappe Technologies
CVE-2026-35614
9.3CRITICAL
What is CVE-2026-35614?
Frappe Framework, a popular web application framework, contains a SQL injection flaw within its bulk_update functionality for versions prior to 16.14.0 and 15.104.0. This vulnerability could allow an attacker to manipulate SQL queries, leading to unauthorized data access and potential data corruption. Users are advised to upgrade to the latest versions to mitigate this risk.
Affected Version(s)
frappe < 15.104.0 < 15.104.0
frappe >= 16.0.0-beta.1, < 16.14.0 < 16.0.0-beta.1, 16.14.0