{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31877", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T21:59:02.685Z", "datePublished": "2026-03-11T18:28:35.596Z", "dateUpdated": "2026-03-12T20:07:46.367Z"}, "containers": {"cna": {"title": "Frappe SQL Injection due to improper field sanitization", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/frappe/frappe/security/advisories/GHSA-2c4m-999q-xhx4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-2c4m-999q-xhx4"}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"version": ">= 15.0.0, < 15.84.0", "status": "affected"}, {"version": "< 14.99.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:28:35.596Z"}, "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0."}], "source": {"advisory": "GHSA-2c4m-999q-xhx4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T20:07:39.696321Z", "id": "CVE-2026-31877", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:07:46.367Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31877", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T20:07:39.696321Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:07:43.582Z"}}], "cna": {"title": "Frappe SQL Injection due to improper field sanitization", "source": {"advisory": "GHSA-2c4m-999q-xhx4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"status": "affected", "version": ">= 15.0.0, < 15.84.0"}, {"status": "affected", "version": "< 14.99.0"}]}], "references": [{"url": "https://github.com/frappe/frappe/security/advisories/GHSA-2c4m-999q-xhx4", "name": "https://github.com/frappe/frappe/security/advisories/GHSA-2c4m-999q-xhx4", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:28:35.596Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31877", "state": "PUBLISHED", "dateUpdated": "2026-03-12T20:07:46.367Z", "dateReserved": "2026-03-09T21:59:02.685Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T18:28:35.596Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F8C05C0-D0E9-402C-8A7C-7A202FDC9DC9", "versionEndExcluding": "14.99.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "matchCriteriaId": "54613C79-C6D3-44CD-B024-E993AEF2C10B", "versionEndExcluding": "15.84.0", "versionStartIncluding": "15.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0."}, {"lang": "es", "value": "Frappe es un framework de aplicaci\u00f3n web full-stack. Antes de las versiones 15.84.0 y 14.99.0, una solicitud especialmente dise\u00f1ada realizada a un determinado endpoint podr\u00eda resultar en una inyecci\u00f3n SQL, permitiendo a un atacante extraer informaci\u00f3n a la que de otro modo no tendr\u00eda acceso. Esta vulnerabilidad est\u00e1 corregida en las versiones 15.84.0 y 14.99.0."}], "id": "CVE-2026-31877", "lastModified": "2026-03-13T17:50:26.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T19:16:04.300", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-2c4m-999q-xhx4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[15.0.0,15.84.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,14.99.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "frappe", "source": "cna", "vendor": "frappe"}, "product": "frappe", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-03-17T16:30:28.578572+00:00", "value": {"mitigation_remediation": ["Apply the latest Frappe patch (v15.84.0 or v14.99.0) to eliminate the SQL injection flaw.", "Verify that your installed Frappe version is not older than the fixed releases.", "If a patch cannot be applied immediately, isolate or block the vulnerable endpoint until remediation is applied.", "Check the vendor\u2019s website or security advisories for any additional guidance or workarounds."], "summary": {"action": "Patch Immediately", "impact": "Data Compromise via SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected software is the Frappe web application framework (vendor: frappe, product: frappe). Versions older than 15.84.0 for the current release line and older than 14.99.0 for the prior line are susceptible.", "description_and_impact": "The vulnerability is caused by improper input sanitization on a specific endpoint within the Frappe framework, allowing an attacker to inject malicious SQL code. This flaw is classified as CWE\u201189. When exploited, the attacker can read database records that the application should not expose, compromising the confidentiality of sensitive data.", "risk_and_exploitability": "Risk is high, with a CVSS score of 9.3 and an EPSS score below 1\u202f%. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly confirmed exploits at this time. The likely attack vector is a remote, unauthenticated request to the vulnerable endpoint, as inferred from the advisory description. Exploitation requires only network access and does not need privileged credentials."}}}}, "created": "2026-03-12T09:57:00.997881+00:00", "updated": "2026-03-20T15:29:35.905722+00:00", "vendors": ["frappe", "frappe$PRODUCT$frappe"]}