EUVD-2026-36485Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible unauthenticated endpoint requiring no complexity; scope unchanged with only low integrity impact and zero confidentiality or availability effect.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
AnalysisAI
Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthenticated network callers who can bypass access controls and write discussion data to resources they do not own. All Frappe deployments running versions prior to 15.107.0 (v15 branch) or 16.17.0 (v16 branch) are affected, with impact limited to low-severity integrity writes and no confidentiality or availability consequence. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The submit_discussion() endpoint must be reachable over the network, which is typical of any internet-facing Frappe or ERPNext deployment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 reflects a fully unauthenticated (PR:N), low-complexity (AC:L), network-accessible (AV:N) attack surface, but the blast radius is deliberately narrow - only low-integrity writes to the vulnerable system (VI:L) with no confidentiality or availability impact confirmed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies an internet-facing Frappe or ERPNext instance and sends a crafted HTTP POST request directly to the submit_discussion() endpoint, supplying an arbitrary target resource identifier. Because the endpoint performs no authorization check, the server accepts the request and persists the forged discussion entry against a document the attacker does not own. … |
| Remediation | Upgrade Frappe to version 15.107.0 or later on the v15 release branch, or to version 16.17.0 or later on the v16 release branch, as documented in GitHub Security Advisory GHSA-xh7m-j2j2-82f2 at https://github.com/frappe/frappe/security/advisories/GHSA-xh7m-j2j2-82f2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and
Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browser
Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious
DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen
Insecure Direct Object Reference (IDOR) in the Frappe full-stack web application framework exposes email configuration d
Share
External POC / Exploit Code
Leaving vuln.today