Vulnerability in Frappe

CVE-2026-58503

Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the reset_password endpoint. This issue is fixed in versions 16.16.0 and 15.106.0.

Affected products

  • Frappe — versions < 15.106.0, >= 16.0.0-beta1, < 16.16.0

Weakness classification (CWE)

References