CVE-2026-31877
Frappe SQL Injection due to improper field sanitization
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.
| CWE | CWE-89 |
| Vendor | frappe |
| Product | frappe |
| Published | Mar 11, 2026 |
| Last Updated | Mar 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for frappe frappe
Be the first to know when new unknown vulnerabilities affecting frappe frappe are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
frappe / frappe
>= 15.0.0, < 15.84.0 < 14.99.0