CVE-2026-44208 | Frappe is a full-stack web application framework. Prior to v… | CVSS 6.9 MEDIUM

Description

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.

Metadata

CVE ID: CVE-2026-44208
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-05 15:13 UTC
Published: 2026-06-12 14:26 UTC
Last updated: 2026-06-13 03:14 UTC
Primary CWE: CWE-284
CWE-284: Improper Access Control
Vendor / Product: frappe / frappe
Sources: cve.org · NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
frappe	frappe	—	< 15.107.0, < 16.17.0

Weakness (CWE)

CWE	Source	Description
CWE-284	cna	CWE-284: Improper Access Control
CWE-285	cna	CWE-285: Improper Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References (1)

https://github.com/frappe/frappe/security/advisories/GHSA-xh7m-j2j2-82f2 https://github.com/frappe/frappe/security/advisories/GHSA-xh7m-j2j2-82f2