CVE-2026-41317

· NIST NVD ↗

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST.

HIGH
CVSS severity
7.5
CVSS base score
2026-04-24
Published

CWE codes

CWE-352

Affected products

frappe:press

Sources