EUVD-2026-36495Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N as file access occurs over HTTP; PR:L because any valid authenticated session is required; C:L for limited file disclosure with no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.
AnalysisAI
Improper access control in Frappe Framework (all versions prior to 16.17.4) allows any authenticated user to retrieve private files by guessing their server-side file path, bypassing intended authorization restrictions. The flaw is classified under CWE-284 (Improper Access Control) and affects the file-serving layer of the framework, which underlies widely deployed applications such as ERPNext. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session in the Frappe application at any privilege level (PR:L per the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) places this as a low-complexity, network-accessible vulnerability with limited confidentiality impact and no integrity or availability consequences - consistent with an unauthorized file read rather than code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid low-privileged Frappe account - such as a standard portal user or a recently onboarded employee - constructs direct HTTP GET requests to private file paths by enumerating predictable Frappe file storage URL patterns. By iterating over known path structures and filenames observed through other application interactions, the attacker retrieves private documents such as invoices, HR records, or configuration attachments that are intended to be restricted to authorized roles. … |
| Remediation | Upgrade Frappe to version 16.17.4 or later, which contains the vendor-released patch per GitHub Security Advisory GHSA-gvg7-4p32-j648 (https://github.com/frappe/frappe/security/advisories/GHSA-gvg7-4p32-j648). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthe
Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and
Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browser
Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious
DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen
Share
External POC / Exploit Code
Leaving vuln.today