frappe security advisories

2 threat alerts tracking vulnerabilities and security advisories that affect frappe products.

Vulnios monitors frappe CVE feeds, vendor advisories, CISA KEV listings, and exploit-prediction data continuously. Each alert below is enriched with severity, exploitation status, affected products, and a remediation path. Use this page to scan recent frappe security news in one place, or click into an individual alert for full detail.

Critical Vulnerability: CVE-2026-38431 — frappe — erpnext
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on
criticalCVE-2026-38431
Critical Vulnerability: CVE-2026-31017 — frappe — erpnext, frappe
A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before
criticalCVE-2026-31017

Track frappe exposure across your environment

Vulnios automatically cross-references your asset inventory against new frappe CVEs and surfaces only what affects you. No more sifting manually — actionable findings only.

Start a free scan

frappe security advisories

Critical Vulnerability: CVE-2026-38431 — frappe — erpnext

Critical Vulnerability: CVE-2026-31017 — frappe — erpnext, frappe

Track frappe exposure across your environment