Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible endpoint requires low-privilege authentication; limited read/write impact on report data; no availability impact and no scope change.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been fixed. This vulnerability is fixed in 15.107.5 and 16.18.2.
AnalysisAI
Missing authorization on the reportview endpoint in Frappe framework permits authenticated low-privileged users to access or manipulate report data beyond their permitted scope. Versions prior to 15.107.5 (v15 branch) and 16.18.2 (v16 branch) are affected, confirmed via GitHub Security Advisory GHSA-w8g7-j846-j248. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session in Frappe with at least low-privileged access (PR:L per CVSS 4.0) - unauthenticated external attackers cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (medium) reflects a network-reachable, low-complexity flaw requiring low-privileged authentication, with limited confidentiality and integrity impact (VC:L/VI:L) and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privileged Frappe user - such as a guest or restricted portal account - sends a crafted API request directly to the reportview endpoint referencing a report or data resource they would not normally be permitted to access. Because the endpoint omits the required permission check, the server returns or modifies the requested data without validating the user's role or document-level permissions. … |
| Remediation | Upgrade Frappe to version 15.107.5 or later on the v15 line, or to 16.18.2 or later on the v16 line, as confirmed by the vendor security advisory at https://github.com/frappe/frappe/security/advisories/GHSA-w8g7-j846-j248. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on
Arbitrary file read in the Frappe full-stack web application framework allows remote unauthenticated attackers to retrie
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportv
Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the fra
In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py
Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. Rated medium severity (CVSS
public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and
SQL injection in Frappe framework before 15.84.0/14.99.0.
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. Rated critical severity (CVSS 9.8), this vulner
A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execu
SQL injection in Frappe's bulk_update function enables unauthenticated remote attackers to execute arbitrary SQL command
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43099