Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.0
Frappe: Possible SSRF by any authenticated user
CVE-2026-31878
GHSA-mggg-hmjm-j6c2
Summary
Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.
Original title
Frappe: Possible SSRF by any authenticated user
Original description
Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.
osv CVSS3.1
5.0
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 14 Mar 2026