Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remotely reachable low-complexity request needing a low-privilege authenticated account (PR:L); path traversal yields high confidentiality file disclosure only, so I:N/A:N and scope unchanged.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in the Chrome PDF Generator. This issue is fixed in version 16.18.3.
AnalysisAI
Local file inclusion in the Frappe Framework's Chrome PDF Generator (versions prior to 16.18.3) allows an authenticated user to abuse the 'secure local resource access' mechanism to traverse the filesystem and read arbitrary local files on the server. The flaw is a CWE-22 path traversal disclosed via GitHub Security Advisory GHSA-234v-jfr8-v2f8 and carries a CVSS 4.0 base score of 7.1 (VC:H - confidentiality-only impact). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a Frappe instance prior to 16.18.3 that uses the Chrome PDF Generator for print/PDF rendering, and the attacker must hold a low-privilege authenticated account (CVSS PR:L) capable of invoking PDF generation or supplying/influencing an HTML template or local-resource path processed by the 'secure local resource access' feature. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) drives a base score of 7.1 (High): remotely reachable, low attack complexity, no user interaction, requiring only low-level authenticated privileges, and yielding high confidentiality impact with no integrity or availability effect - consistent with a file-read/LFI primitive rather than code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged authenticated user of a Frappe or ERPNext site crafts or edits a print format / HTML template that references a local resource using a traversal path (e.g., ../../../../etc/passwd or the site's site_config.json), then triggers PDF generation. The Chrome PDF Generator resolves the path outside the intended asset directory and embeds the target file's contents into the returned PDF, disclosing server secrets to the attacker. … |
| Remediation | Vendor-released patch: upgrade Frappe Framework to version 16.18.3 or later, which contains the fix delivered through PRs https://github.com/frappe/frappe/pull/38643 and https://github.com/frappe/frappe/pull/39396 and commits 11066591ed7aa91a7b742f3f689277a90e620ce0 and 46841f7fde3954e1d3b3a7e248a6d6022343e657; the release is at https://github.com/frappe/frappe/releases/tag/v16.18.3 and details are in advisory GHSA-234v-jfr8-v2f8. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on
Arbitrary file read in the Frappe full-stack web application framework allows remote unauthenticated attackers to retrie
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportv
Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the fra
In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py
Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. Rated medium severity (CVSS
public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and
SQL injection in Frappe framework before 15.84.0/14.99.0.
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. Rated critical severity (CVSS 9.8), this vulner
A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execu
SQL injection in Frappe's bulk_update function enables unauthenticated remote attackers to execute arbitrary SQL command
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43103