EUVD-2026-36493Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible, low-complexity write bypass requiring only a valid user session (PR:L); no confidentiality or availability impact, only low integrity impact on Onboarding Step records.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.
AnalysisAI
Improper access control in Frappe prior to 16.17.4 permits any authenticated user to modify any field in any Onboarding Step record, bypassing expected privilege restrictions. Affected deployments running versions below 16.17.4 expose their onboarding configuration data to unauthorized tampering by low-privileged users. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid, authenticated user session in the Frappe application (PR:L in the CVSS 4.0 vector); unauthenticated access is not sufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N) yields a score of 5.3, reflecting a network-accessible, low-complexity flaw requiring only low privileges with no user interaction and a limited integrity-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privileged user - such as a standard employee or guest account in an ERPNext deployment - directly submits a crafted write request to the Frappe REST API targeting an Onboarding Step record, supplying modified field values such as altered step titles, instructions, or completion states. No public POC has been identified, but the attack requires no technical sophistication beyond knowing the doctype name and the standard Frappe API structure. … |
| Remediation | Upgrade Frappe to version 16.17.4 or later, which contains the official fix per the GitHub Security Advisory GHSA-78rj-jch8-42m8 (https://github.com/frappe/frappe/security/advisories/GHSA-78rj-jch8-42m8). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthe
Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and
Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browser
Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious
DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen
Share
External POC / Exploit Code
Leaving vuln.today