VYPR
Unrated severityNVD Advisory· Published Mar 11, 2026· Updated Mar 11, 2026

Frappe: Possible SSRF by any authenticated user

CVE-2026-31878

Description

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.

Affected products

2
  • Frappe/Frappellm-fuzzy2 versions
    <14.100.1 or <15.100.0 or <16.6.0+ 1 more
    • (no CPE)range: <14.100.1 or <15.100.0 or <16.6.0
    • (no CPE)range: >= 16.0.0, < 16.6.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.