What's New
Frappe fix framework

Security fix: lambda expressions disabled in eval to block code injection

AN @ankush · #39920 · merged 13 Jun 2026

The vulnerability

eval() in server scripts accepted lambda expressions, which opened a path to arbitrary code execution for anyone who could influence an evaluated string.

The fix

Lambda expressions are now rejected before evaluation. Legitimate expressions are unaffected; only the unsafe construct is blocked.

What you should do

  • Nothing, if your scripts use plain expressions
  • Review any script that relied on inline lambdas — rewrite them as named functions