CVE-2026-40888

MEDIUM CVSS 6.5 View on NVD ↗

Description

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

https://github.com/frappe/hrms/releases/tag/v15.58.1
https://github.com/frappe/hrms/releases/tag/v16.4.1
https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx

Published: Apr 21, 2026 20:17 UTC Modified: Apr 21, 2026 20:17 UTC