CVE-2026-44206
MEDIUMFrappe: DB Schema Enumeration via Frappe-Authorization-Source
Title source: cnaDescription
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/frappe/frappe/security/advisories/GHSA-9c55-cq5r-qj5x
Scores
CVSS v4
6.9
EPSS
0.0031
EPSS Percentile
22.6%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
frappe/frappe
< 15.107.2
frappe/frappe
< 16.17.4
Published
Jun 12, 2026
Tracked Since
Jun 12, 2026