Frappe: Malicious Request Allows Server to Make Unwanted HTTP Calls

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.0

Frappe: Malicious Request Allows Server to Make Unwanted HTTP Calls

CVE-2026-31878

Summary

A security issue in older versions of the Frappe web application framework allows a malicious user to make the server contact a website of their choice. This could be used to steal sensitive information or disrupt the server. Update to the latest version of Frappe to fix this issue.

Original title

Original description

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.

nvd CVSS3.1 5.0

Vulnerability type

CWE-918 Server-Side Request Forgery (SSRF)

https://github.com/frappe/frappe/security/advisories/GHSA-mggg-hmjm-j6c2

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026