What is the CVSS score of CVE-2025-68953?

CVE-2025-68953 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Frappe are affected by CVE-2025-68953?

Organizations using Frappe face notable risk from CVE-2025-68953, a path traversal vulnerability rated CVSS 7.5.. A patch is available.

How to fix or mitigate CVE-2025-68953?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Review file handling controls and restrict upload directories.

Frappe CVE-2025-68953

HIGH

Path Traversal (CWE-22)

2026-01-05 security-advisories@github.com

Path Traversal Frappe

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch released

Jan 09, 2026 - 13:55 nvd

Patch available

CVE Published

Jan 05, 2026 - 22:15 nvd

HIGH 7.5

DescriptionGitHub Advisory

Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. Arbitrary files from the server could be retrieved due to a lack of proper sanitization on some requests. This issue is fixed in versions 14.99.6 and 15.88.1. To workaround, changing the setup to use a reverse proxy is recommended.

AnalysisAI

Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. [CVSS 7.5 HIGH]

Technical ContextAI

Classified as CWE-22 (Path Traversal). Affects Frappe. Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. Arbitrary files from the server could be retrieved due to a lack of proper sanitization on some requests. This issue is fixed in versions 14.99.6 and 15.88.1. To workaround, changing the setup to use a reverse proxy is recommended.

RemediationAI

A vendor patch is available — apply it immediately. Validate and sanitize file path inputs. Use allowlists. Restrict network access to the affected service where possible.

More from same product – last 7 days

CVE-2026-44208 MEDIUM This Month

6.9 Jun 12

Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthe

CVE-2026-50026 MEDIUM This Month

6.9 Jun 12

Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and

CVE-2026-44205 MEDIUM This Month

6.9 Jun 12

Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browser

CVE-2026-47739 MEDIUM This Month

6.9 Jun 12

Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious

CVE-2026-44206 MEDIUM This Month

6.9 Jun 12

DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen

CVE-2025-68953 vulnerability details – vuln.today

Back

Frappe CVE-2025-68953

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code