CVE-2026-41317

CVE Database · CVE-2026-41317

CVE-2026-41317

· HIGHAnalyzed

CVSS v3.1

7.5

CVSS v4.0

6.6

EPSS

0.13%

Published

Apr 24, 2026

Modified

Apr 30, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Weaknesses (CWE)

CWE-352

Affected Products (1)

frappe · press (up to 0.9.0)vulnerable

References (2)

https://github.com/frappe/press/commit/52ea2f2d1b587be0807557e96f025f47897d00fd

Patch

https://github.com/frappe/press/security/advisories/GHSA-q4wg-jrr8-vpwf

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs