CRITICALCVE-2026-31877Published 2026-03-11Modified 2026-03-12CNA GitHub_M

CVE-2026-31877: Frappe SQL Injection due to improper field sanitization

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

frappe / frappe
>= 15.0.0, < 15.84.0 · < 14.99.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

https://github.com/frappe/frappe/security/advisories/GHSA-2c4m-999q-xhx4

Metrics