CVE-2026-44975

MEDIUM

Frappe: Missing authorization on reset form tours

Title source: cna
STIX 2.1

Description

Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4.

References (1)

Core 1
Core References

Scores

CVSS v4 5.3
EPSS 0.0028
EPSS Percentile 19.3%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
frappe/frappe < 15.107.2
frappe/frappe < 16.17.4
Published Jun 12, 2026
Tracked Since Jun 12, 2026