Skip to main content

Frappe Framework EUVDEUVD-2026-43100

| CVE-2026-58503 MEDIUM
Observable Discrepancy (CWE-203)
2026-07-10 GitHub_M
6.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Unauthenticated network endpoint with no complexity; impact is limited to low confidentiality loss (account enumeration only), with no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 23:02 EUVD
Analysis Generated
Jul 10, 2026 - 22:11 vuln.today

DescriptionCVE.org

Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the reset_password endpoint. This issue is fixed in versions 16.16.0 and 15.106.0.

AnalysisAI

User enumeration via the reset_password endpoint in Frappe framework exposes valid account usernames to unauthenticated remote attackers across all versions prior to 15.106.0 and 16.16.0. The flaw stems from observable response discrepancies (CWE-203) that allow systematic probing of registered accounts without any credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-facing Frappe instance
Delivery
Send crafted requests to reset_password endpoint
Exploit
Observe response discrepancies per identifier
Execution
Enumerate valid user accounts
Impact
Leverage account list for credential stuffing or phishing

Vulnerability AssessmentAI

Exploitation The reset_password endpoint must be network-reachable - no authentication, no special configuration, and no non-default feature enablement is required beyond a standard Frappe installation with the built-in password reset feature active (which is default). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) scores 6.9, reflecting a low-complexity, unauthenticated, network-accessible flaw with limited confidentiality impact confined to account existence disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends repeated POST requests to the Frappe reset_password endpoint using a wordlist of email addresses or usernames, and differentiates valid from invalid accounts by observing response body, status code, or timing discrepancies. The resulting list of confirmed valid accounts is fed into credential stuffing tools or used to craft targeted phishing lures against identified users. …
Remediation Upgrade Frappe to version 16.16.0 (v16 branch) or 15.106.0 (v15 branch), which resolve the user enumeration discrepancy in the reset_password endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Frappe

View all
CVE-2025-67289 CRITICAL POC
9.6 Dec 22

Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on

CVE-2026-39352 HIGH POC
8.7 May 20

Arbitrary file read in the Frappe full-stack web application framework allows remote unauthenticated attackers to retrie

CVE-2025-56381 MEDIUM POC
6.5 Oct 02

ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportv

CVE-2025-56380 MEDIUM POC
6.5 Oct 02

Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the fra

CVE-2025-52048 MEDIUM POC
6.5 Sep 15

In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py

CVE-2022-41712 MEDIUM POC
6.5 Nov 25

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. Rated medium severity (CVSS

CVE-2019-15700 MEDIUM POC
6.1 Aug 27

public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and

CVE-2026-31877 CRITICAL
9.8 Mar 11

SQL injection in Frappe framework before 15.84.0/14.99.0.

CVE-2019-14965 CRITICAL
9.8 Aug 12

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. Rated critical severity (CVSS 9.8), this vulner

CVE-2025-56379 MEDIUM POC
5.4 Oct 02

A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execu

CVE-2026-35614 CRITICAL
9.3 Apr 07

SQL injection in Frappe's bulk_update function enables unauthenticated remote attackers to execute arbitrary SQL command

CVE-2025-65267 CRITICAL
9.0 Dec 03

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to

Share

EUVD-2026-43100 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy