Description
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.
Published: 2026-03-11
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data Compromise via SQL Injection
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is caused by improper input sanitization on a specific endpoint within the Frappe framework, allowing an attacker to inject malicious SQL code. This flaw is classified as CWE‑89. When exploited, the attacker can read database records that the application should not expose, compromising the confidentiality of sensitive data.

Affected Systems

The affected software is the Frappe web application framework (vendor: frappe, product: frappe). Versions older than 15.84.0 for the current release line and older than 14.99.0 for the prior line are susceptible.

Risk and Exploitability

Risk is high, with a CVSS score of 9.3 and an EPSS score below 1 %. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly confirmed exploits at this time. The likely attack vector is a remote, unauthenticated request to the vulnerable endpoint, as inferred from the advisory description. Exploitation requires only network access and does not need privileged credentials.

Generated by OpenCVE AI on March 17, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Frappe patch (v15.84.0 or v14.99.0) to eliminate the SQL injection flaw.
  • Verify that your installed Frappe version is not older than the fixed releases.
  • If a patch cannot be applied immediately, isolate or block the vulnerable endpoint until remediation is applied.
  • Check the vendor’s website or security advisories for any additional guidance or workarounds.

Generated by OpenCVE AI on March 17, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.
Title Frappe SQL Injection due to improper field sanitization
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:07:46.367Z

Reserved: 2026-03-09T21:59:02.685Z

Link: CVE-2026-31877

cve-icon Vulnrichment

Updated: 2026-03-12T20:07:43.582Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T19:16:04.300

Modified: 2026-03-13T17:50:26.093

Link: CVE-2026-31877

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:35Z

Weaknesses