6.5

CVE-2026-40888

EPSS 0.23%
Veröffentlicht 21.04.2026 19:28:28
Zuletzt bearbeitet 27.04.2026 19:39:35
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Frappe HR vulnerable to Improper Access Control

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Frappe ≫ Frappe Hr Version < 15.58.1

Frappe ≫ Frappe Hr Version >= 16.0.0 < 16.4.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.138

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx

Vendor Advisory

https://github.com/frappe/hrms/releases/tag/v15.58.1

Release Notes

https://github.com/frappe/hrms/releases/tag/v16.4.1

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-40888

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40888

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40888

EUVD