CVE-2026-31877 CRITICAL

CVE-2026-31877: Frappe SQL Injection due to improper field sanitization

Vendor Frappe
Product frappe
Weakness CWE-89 · SQLi
Published March 11, 2026
Last update March 12, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.

Key dates

02Disclosure timeline

March 11, 2026 CVE published
March 12, 2026 Record updated