CVE-2026-40889

· NIST NVD ↗

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.

MEDIUM
CVSS severity
6.5
CVSS base score
2026-04-21
Published

CWE codes

CWE-284

Affected products

frappe:frappe_hr

Sources