CVE-2026-58503
Frappe: Unauthenticated User Enumeration via reset_password
CVSS Score
0.0
EPSS Score
0.4%
EPSS Percentile
28th
Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the reset_password endpoint. This issue is fixed in versions 16.16.0 and 15.106.0.
| CWE | CWE-203 |
| Vendor | frappe |
| Product | frappe |
| Published | Jul 10, 2026 |
| Last Updated | Jul 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for frappe frappe
Be the first to know when new unknown vulnerabilities affecting frappe frappe are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
frappe / frappe
< 15.106.0 >= 16.0.0-beta1, < 16.16.0
References
github.com: https://github.com/frappe/frappe/security/advisories/GHSA-3vqc-c545-w7jg github.com: https://github.com/frappe/frappe/pull/38625 github.com: https://github.com/frappe/frappe/pull/38626 github.com: https://github.com/frappe/frappe/commit/1ff64d4a67f9a6d8819ac059dc69f023fb9ea264 github.com: https://github.com/frappe/frappe/commit/d3becf5672cbb5c7150447161941aeebeeb84ae8 github.com: https://github.com/frappe/frappe/releases/tag/v15.106.0 github.com: https://github.com/frappe/frappe/releases/tag/v16.16.0