A vulnerability was found in Frappe up to 15.103.x/16.13.x and classified as critical . This issue affects the function bulk_update . Such manipulation leads to sql injection. This vulnerability is listed as CVE-2026-35614 . The attack may be performed from remote. There is no available exploit. It is suggested to upgrade the affected component.