VIR Vulnerability Intelligence Relay

CVE-2026-40888

medium
Published 2026-04-21 · Modified 2026-04-27
CVSS v3
6.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS v2
VIR risk
6.5

Description

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.

Predictions

Exploit likelihood
75%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/frappe/hrms/releases/tag/v16.4.1

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/frappe/hrms/releases/tag/v15.58.1

Application impact
VendorProductVersionsFixed
frappefrappe_hr{"endExcluding":"15.58.1"}15.58.1

References

CWEs

CWE-284

Verify integrity in audit chain (admin only). AS-IS.