Description
Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.
Published: 2026-03-11
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows any authenticated user in the Frappe framework to craft a request to a specific endpoint, causing the server to make an outbound HTTP request to a service selected by the attacker. This Server Side Request Forgery (SSRF) can expose internal network resources or leak sensitive data. The weakness corresponds to CWE-918, indicating a failure to properly validate destination URLs. Based on the description, it is inferred that the attacker could use the SSRF to reach internal services and potentially pivot to further attacks such as data exfiltration.

Affected Systems

Affected products are the Frappe framework (vendor: frappe). Versions prior to 14.100.1, 15.100.0, and 16.6.0 are vulnerable. The issue is fixed in versions 14.100.1 and newer, 15.100.0 and newer, and 16.6.0 and newer.

Risk and Exploitability

The CVSS score is 5, indicating medium severity, while the EPSS score is below 1%, suggesting that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The vulnerability requires authenticated access to the application; based on the description, it is inferred that an attacker must first compromise user credentials or otherwise gain legitimate user access. No public exploits were reported at the time of the advisory. Given the medium severity and low exploitation probability, risk remains moderate but should be addressed promptly to prevent potential internal network exposure.

Generated by OpenCVE AI on March 17, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frappe framework to version 14.100.1 or newer, 15.100.0 or newer, or 16.6.0 or newer.
  • If an upgrade is not immediately feasible, restrict outbound traffic from the vulnerable endpoint to limit potential SSRF exploitation.
  • Continuously monitor the vendor's advisory at https://github.com/frappe/frappe/security/advisories/GHSA-mggg-hmjm-j6c2 for patches and additional guidance.

Generated by OpenCVE AI on March 17, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.
Title Frappe: Possible SSRF by any authenticated user
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T19:54:06.626Z

Reserved: 2026-03-09T21:59:02.685Z

Link: CVE-2026-31878

cve-icon Vulnrichment

Updated: 2026-03-11T19:54:01.166Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T19:16:04.470

Modified: 2026-03-13T17:49:29.937

Link: CVE-2026-31878

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:35Z

Weaknesses