CVE-2026-31878

Published: Mar 11, 2026Modified: Mar 13, 2026

5.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Exploitability: 3.1 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.

Affected (3)

Products: Frappe: Frappe

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Frappe Frappe	Before 14.100.1
Frappe Frappe	From 15.0.0 to 15.100.0
Frappe Frappe	From 16.0.0 to 16.6.0

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (1)

https://github.com/frappe/frappe/security/advisories/GHSA-mggg-hmjm-j6c2

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.