๐Ÿ” CVE Alert

CVE-2026-39351

CRITICAL 9.1

Frappe allows unrestricted Doctype access via API exploit

CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
13th

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.

CWE CWE-862
Vendor frappe
Product frappe
Published Apr 7, 2026
Last Updated Apr 9, 2026
Stay Ahead of the Next One

Get instant alerts for frappe frappe

Be the first to know when new critical vulnerabilities affecting frappe frappe are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

frappe / frappe
< 15.104.0 >= 16.0.0-beta.1, < 16.14.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/frappe/frappe/security/advisories/GHSA-8ggw-hfr6-rw3x