EUVD-2026-36458Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoints require no privileges or user interaction; limited read/write impact per VC:L/VI:L in the provided CVSS 4.0 vector; no scope change or availability impact indicated.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
AnalysisAI
Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and modify resources without permission. All Frappe installations on the 15.x branch prior to 15.107.0 and the 16.x branch prior to 16.17.0 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required for exploitation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 (Medium) reflects a straightforward unauthenticated network attack (AV:N, AC:L, AT:N, PR:N, UI:N) offset by bounded impact (VC:L/VI:L/VA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker identifies a publicly accessible Frappe instance running a vulnerable version and enumerates its API endpoints. By sending crafted HTTP requests directly to the affected endpoints - which skip permission validation - the attacker reads or writes resources belonging to other users or privileged contexts without any credential. … |
| Remediation | Vendor-released patches are available: operators on the version 15 branch must upgrade to Frappe 15.107.0 or later, and operators on the version 16 branch must upgrade to Frappe 16.17.0 or later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthe
Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browser
Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious
DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen
Insecure Direct Object Reference (IDOR) in the Frappe full-stack web application framework exposes email configuration d
Share
External POC / Exploit Code
Leaving vuln.today