CVE-2026-41317

UNKNOWN 0.0

Frappe Press has an unsafe HTTP method / CSRF-adjacent issue on API secret generation

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST.

CWE	CWE-352
Vendor	frappe
Product	press
Published	Apr 24, 2026

Stay Ahead of the Next One

Get instant alerts for frappe press

Be the first to know when new unknown vulnerabilities affecting frappe press are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

frappe / press

< 52ea2f2d1b587be0807557e96f025f47897d00fd

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/frappe/press/security/advisories/GHSA-q4wg-jrr8-vpwf github.com: https://github.com/frappe/press/commit/52ea2f2d1b587be0807557e96f025f47897d00fd