Skip to content
CVSS 7.5 · HIGH

CVE-2026-41317

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST.

Ver en NVD

Análisis

Frappe Press is the orchestration layer for Frappe Cloud and associated SaaS offerings. The ability to create API secrets via a CSRF-like GET request presents a clear path to account compromise. Given the popularity of the Frappe/ERPNext ecosystem among developers, this is worth surfacing.

Severidad

Puntaje: 7.5(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: NONE
I: HIGH
A: NONE
Tipo de falla (CWE): CWE-352

EPSS

Probabilidad de explotación (próx. 30 días): 0.0002 (0.0%)
Percentil: 5.6%
EPSS: 2026-05-06

Afecta

frappe:press

Descripción técnica

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST.

Publicada: 24/4/2026, 3:16:12
Última modificación: 30/4/2026, 14:53:51

Referencias

InicioEventosBlogRecursosEquipo