EUVD-2026-36453Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable unauthenticated endpoint (AV:N/PR:N); bounded SQL injection yields partial data read/write only, no scope change or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, there is a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0.
AnalysisAI
SQL Injection in the Frappe full-stack web framework's get_blog_list function allows unauthenticated remote attackers to manipulate database queries, leading to limited data read and write access. Frappe versions prior to 15.106.0 (v15 branch) and 16.16.0 (v16 branch) are affected across all deployments that expose the blog module. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required for exploitation - the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is a remote, unauthenticated attack against a network-accessible endpoint with no special attack prerequisites. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-low for most operators. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP GET or POST request to the Frappe blog listing endpoint, injecting SQL syntax into a query parameter handled by get_blog_list. The injected payload manipulates the underlying SQL query, allowing the attacker to enumerate database schema, extract partial application data, or perform limited data writes - all without requiring any account or session on the target application. … |
| Remediation | Upgrade Frappe to version 15.106.0 or later on the v15 branch, or to 16.16.0 or later on the v16 branch - these are the vendor-confirmed patched releases per the GitHub security advisory at https://github.com/frappe/frappe/security/advisories/GHSA-h9hf-57r4-cm65. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthe
Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and
Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browser
Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious
DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen
Share
External POC / Exploit Code
Leaving vuln.today