PatchSiren cyber security CVE debrief
CVE-2026-44976 frappe CVE debrief
CVE-2026-44976 is a vulnerability in Frappe, a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM.
- Vendor
- frappe
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Frappe framework, especially those who have not upgraded to version 16.17.4 or later.
Technical summary
The vulnerability allows any user to modify any field in any Onboarding Step record in Frappe versions prior to 16.17.4. This issue has been patched in version 16.17.4.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Frappe version 16.17.4 or later.
- Review and restrict user permissions for modifying Onboarding Step records.
Evidence notes
The vulnerability is patched in version 16.17.4. For more information, see resourceLinkAnnotations with id 'ref-4'.
Official resources
-
CVE-2026-44976 CVE record
CVE.org
-
CVE-2026-44976 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-44976 was published on 2026-06-12T16:16:28.260Z and modified on 2026-06-12T16:20:22.063Z.