Skip to main content

Hrms CVE-2026-40888

| EUVDEUVD-2026-24276 MEDIUM
Improper Access Control (CWE-284)
2026-04-21 GitHub_M
6.5
CVSS 3.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 27, 2026 - 19:39 nvd
Patch available
Patch available
Apr 21, 2026 - 21:02 EUVD
EUVD ID Assigned
Apr 21, 2026 - 20:00 euvd
EUVD-2026-24276
CVE Published
Apr 21, 2026 - 19:28 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.

Analysis

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.

Share

CVE-2026-40888 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy