Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint (AV:N) with low complexity, but a valid low-privilege account is required (PR:L); impact is integrity-only tampering of public workspaces, so C:N/I:H/A:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0.
AnalysisAI
Broken access control in the Frappe framework (all versions prior to 16.19.0) lets a low-privileged authenticated user modify public Workspaces they should not control, because the update_page endpoint failed to enforce the Workspace Manager edit permission on public workspaces. Any user able to reach the endpoint can alter shared workspace layout and content, an integrity-only impact with no data disclosure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Frappe account (CVSS PR:L) that can reach the Workspace update_page endpoint, and the target must be a public (shared) Workspace - private workspaces already enforced the check and are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N, score 7.1) tells a consistent story: network-reachable, low complexity, requires an authenticated low-privilege account, no user interaction, and a pure integrity impact with no confidentiality or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user with an ordinary low-privilege Frappe account - but without the Workspace Manager role - sends a crafted request to the update_page endpoint targeting a public Workspace and successfully saves changes to it, altering the shared dashboard/navigation seen by the whole organization. No public POC is known, but the low attack complexity and lack of required user interaction make it trivial for any authenticated user to attempt. |
| Remediation | Vendor-released patch: 16.19.0 - upgrade the Frappe framework to v16.19.0 or later (https://github.com/frappe/frappe/releases/tag/v16.19.0), which adds the missing Workspace Manager edit check to the public-workspace path; the underlying fixes are in PRs https://github.com/frappe/frappe/pull/39508 and https://github.com/frappe/frappe/pull/39526 and commits 2471d94c397dc23301b30ed3bb30353f53b33f2c and 6eba29d7ae80cdb4d0b2a245a477b1d2312736ca. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Frappe instances running versions prior to 16.19.0 and identify those with shared public Workspaces. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on
Arbitrary file read in the Frappe full-stack web application framework allows remote unauthenticated attackers to retrie
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportv
Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the fra
In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py
Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. Rated medium severity (CVSS
public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and
SQL injection in Frappe framework before 15.84.0/14.99.0.
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. Rated critical severity (CVSS 9.8), this vulner
A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execu
SQL injection in Frappe's bulk_update function enables unauthenticated remote attackers to execute arbitrary SQL command
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43105