CVE-2026-31878 MEDIUM

CVE-2026-31878: Frappe: Possible SSRF by any authenticated user

Vendor Frappe
Product frappe
Weakness CWE-918 · SSRF
Published March 11, 2026
Last update March 11, 2026

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.

Key dates

02Disclosure timeline

March 11, 2026 CVE published
March 11, 2026 Record updated