๐Ÿ” CVE Alert

CVE-2026-49394

UNKNOWN 0.0

Frappe: Auth. bypass via update_page

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
23th

Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0.

CWE CWE-862
Vendor frappe
Product frappe
Published Jul 10, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for frappe frappe

Be the first to know when new unknown vulnerabilities affecting frappe frappe are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

frappe / frappe
< 16.19.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/frappe/frappe/security/advisories/GHSA-r24j-xrj8-273q github.com: https://github.com/frappe/frappe/pull/39508 github.com: https://github.com/frappe/frappe/pull/39526 github.com: https://github.com/frappe/frappe/commit/2471d94c397dc23301b30ed3bb30353f53b33f2c github.com: https://github.com/frappe/frappe/commit/6eba29d7ae80cdb4d0b2a245a477b1d2312736ca github.com: https://github.com/frappe/frappe/releases/tag/v16.19.0