PYSEC-2026-1392

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/frappe/PYSEC-2026-1392.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1392
Aliases
Published
2026-07-07T14:34:58.910138Z
Modified
2026-07-07T17:47:22.070310685Z
Severity
  • 8.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Frappe vulnerable to information disclosure leading to account takeover
Details

Impact

Making crafted requests could lead to information disclosure that could further lead to account takeover.

Workarounds

There's no workaround to fix this without upgrading.

Credits

Thanks to Thanh of Calif.io for reporting the issue

References

Affected packages

PyPI / frappe

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
14.89.0
Introduced
15.0.0
Fixed
15.51.0

Affected versions

0.*
0.0.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/frappe/PYSEC-2026-1392.yaml"