Unrated severityNVD Advisory· Published Mar 11, 2026· Updated Mar 11, 2026
Frappe: Possible SSRF by any authenticated user
CVE-2026-31878
Description
Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.
Affected products
2Patches
Vulnerability mechanics
References
1- github.com/frappe/frappe/security/advisories/GHSA-mggg-hmjm-j6c2mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.