CVE-2026-31877
CRITICAL WAF: High
CVSS 9.8
Published: 2026-03-11
CWE-89
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.
WAF Coverage Analysis
SQL Injection
High WAF Coverage
OWASP: A03:2021 Injection
942xxx - SQL Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| frappe | frappe | up to 14.99.0 |
| frappe | frappe | 15.0.0 - 15.84.0 |
References
- github.com (Vendor Advisory)