{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31878", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T21:59:02.685Z", "datePublished": "2026-03-11T18:32:04.397Z", "dateUpdated": "2026-03-11T19:54:06.626Z"}, "containers": {"cna": {"title": "Frappe: Possible SSRF by any authenticated user", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/frappe/frappe/security/advisories/GHSA-mggg-hmjm-j6c2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-mggg-hmjm-j6c2"}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"version": ">= 16.0.0, < 16.6.0", "status": "affected"}, {"version": ">= 15.0.0, < 15.100.0", "status": "affected"}, {"version": "< 14.100.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:32:04.397Z"}, "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0."}], "source": {"advisory": "GHSA-mggg-hmjm-j6c2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T19:46:09.518418Z", "id": "CVE-2026-31878", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T19:54:06.626Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31878", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T19:46:09.518418Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T19:54:01.166Z"}}], "cna": {"title": "Frappe: Possible SSRF by any authenticated user", "source": {"advisory": "GHSA-mggg-hmjm-j6c2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"status": "affected", "version": ">= 16.0.0, < 16.6.0"}, {"status": "affected", "version": ">= 15.0.0, < 15.100.0"}, {"status": "affected", "version": "< 14.100.1"}]}], "references": [{"url": "https://github.com/frappe/frappe/security/advisories/GHSA-mggg-hmjm-j6c2", "name": "https://github.com/frappe/frappe/security/advisories/GHSA-mggg-hmjm-j6c2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:32:04.397Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31878", "state": "PUBLISHED", "dateUpdated": "2026-03-11T19:54:06.626Z", "dateReserved": "2026-03-09T21:59:02.685Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T18:32:04.397Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "matchCriteriaId": "D29871FA-D57A-4071-B42F-3851E949A7EA", "versionEndExcluding": "14.100.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F858D25-BBD2-4E28-926F-35FC26DBC3D2", "versionEndExcluding": "15.100.0", "versionStartIncluding": "15.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D9A5273-D4B3-4A1A-8B59-490EB7228F59", "versionEndExcluding": "16.6.0", "versionStartIncluding": "16.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0."}, {"lang": "es", "value": "Frappe es un framework de aplicaci\u00f3n web full-stack. Antes de 14.100.1, 15.100.0 y 16.6.0, un usuario malicioso podr\u00eda enviar una solicitud manipulada a un endpoint lo que llevar\u00eda al servidor a realizar una llamada HTTP a un servicio de la elecci\u00f3n del usuario. Esta vulnerabilidad est\u00e1 corregida en 14.100.1, 15.100.0 y 16.6.0."}], "id": "CVE-2026-31878", "lastModified": "2026-03-13T17:49:29.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T19:16:04.470", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-mggg-hmjm-j6c2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.0,16.6.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[15.0.0,15.100.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,14.100.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "frappe", "source": "cna", "vendor": "frappe"}, "product": "frappe", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-03-17T16:30:09.518820+00:00", "value": {"mitigation_remediation": ["Upgrade the Frappe framework to version 14.100.1 or newer, 15.100.0 or newer, or 16.6.0 or newer.", "If an upgrade is not immediately feasible, restrict outbound traffic from the vulnerable endpoint to limit potential SSRF exploitation.", "Continuously monitor the vendor's advisory at https://github.com/frappe/frappe/security/advisories/GHSA-mggg-hmjm-j6c2 for patches and additional guidance."], "summary": {"action": "Apply Patch", "impact": "Server Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Affected products are the Frappe framework (vendor: frappe). Versions prior to 14.100.1, 15.100.0, and 16.6.0 are vulnerable. The issue is fixed in versions 14.100.1 and newer, 15.100.0 and newer, and 16.6.0 and newer.", "description_and_impact": "The vulnerability allows any authenticated user in the Frappe framework to craft a request to a specific endpoint, causing the server to make an outbound HTTP request to a service selected by the attacker. This Server Side Request Forgery (SSRF) can expose internal network resources or leak sensitive data. The weakness corresponds to CWE-918, indicating a failure to properly validate destination URLs. Based on the description, it is inferred that the attacker could use the SSRF to reach internal services and potentially pivot to further attacks such as data exfiltration.", "risk_and_exploitability": "The CVSS score is 5, indicating medium severity, while the EPSS score is below 1%, suggesting that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The vulnerability requires authenticated access to the application; based on the description, it is inferred that an attacker must first compromise user credentials or otherwise gain legitimate user access. No public exploits were reported at the time of the advisory. Given the medium severity and low exploitation probability, risk remains moderate but should be addressed promptly to prevent potential internal network exposure."}}}}, "created": "2026-03-12T09:56:59.979276+00:00", "updated": "2026-03-20T15:29:35.032687+00:00", "vendors": ["frappe", "frappe$PRODUCT$frappe"]}