CVE-2026-31877 | THREATINT

Description

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.

PUBLISHED Reserved 2026-03-09 | Published 2026-03-11 | Updated 2026-03-12 | Assigner GitHub_M

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

>= 15.0.0, < 15.84.0

affected

< 14.99.0

affected

References

github.com/...frappe/security/advisories/GHSA-2c4m-999q-xhx4

cve.org (CVE-2026-31877)

nvd.nist.gov (CVE-2026-31877)

Download JSON