The vulnerability allows an attacker to enumerate database schema details through a specific HTTP endpoint, exposing internal structure such as table and column names. This information disclosure falls under CWE‑200 and could aid a malicious actor in mapping the database layout for subsequent attacks, potentially compromising confidentiality of data and facilitating further exploits. The vulnerability is a medium‑severity issue, as reflected by its CVSS score of 6.9, and it can be used to gain insight into the application’s data model. No privilege escalation is provided directly, but the disclosed schema information could be leveraged by an attacker to craft more precise attacks against other parts of the system.

Affected products include the Frappe web application framework across all versions prior to 15.107.2 and 16.17.4, as indicated by the vendor’s advisory. The specific version requirements for the fix are 15.107.2 or later for version 15.x releases, and 16.17.4 or later for the 16.x branch. Any deployment of the earlier releases is susceptible to this enumeration flaw.

The overall risk is moderate, with a CVSS score of 6.9 indicating non‑critical but noteworthy severity. The EPSS score of less than 1 % suggests that exploitation probability has historically been low, and the CVE is not listed in the CISA KEV catalog. Based on the description, the exploit requires access to the exposed endpoint, likely via unauthenticated or low‑privilege HTTP requests. Consequently, the attack vector is considered local or network‑based, but contingent on the endpoint not being properly restricted by authentication or network controls.