Skip to main content

Frappe Framework CVE-2026-47199

| EUVDEUVD-2026-43101 LOW
SQL Injection (CWE-89)
2026-07-10 GitHub_M
2.3
CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

AC:H reflects the non-default MySQL FILE privilege prerequisite; PR:L confirms authentication required; no confidentiality or availability impact applies.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 23:02 EUVD
Analysis Generated
Jul 10, 2026 - 22:15 vuln.today

DescriptionCVE.org

Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, check_safe_sql_query permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites if database permissions are not well aligned and MySQL FILE privileges are available. This issue is fixed in versions 16.18.3 and 15.108.0.

AnalysisAI

Frappe framework's check_safe_sql_query function fails to block SELECT INTO OUTFILE statements, allowing authenticated low-privileged users to write arbitrary files to the server filesystem on self-hosted MySQL deployments where the database user holds the MySQL FILE privilege. Affected branches are v15 prior to 15.108.0 and v16 prior to 16.18.3; fixes are released at both version targets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Frappe as low-privileged user
Delivery
Identify SQL query execution surface (report builder or API)
Exploit
Craft SELECT INTO OUTFILE statement bypassing check_safe_sql_query filter
Execution
MySQL executes write using FILE privilege
Impact
Arbitrary file written to attacker-chosen server path

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent non-default conditions: the Frappe deployment must be self-hosted (not Frappe Cloud managed), the database backend must be MySQL (not PostgreSQL), and the MySQL database user configured for Frappe must hold the FILE privilege - which is not granted by default in MySQL and contradicts least-privilege hardening. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.3 (AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) accurately reflects real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Frappe user with low-level access submits a crafted SELECT INTO OUTFILE SQL query through an exposed query interface such as a custom report builder, query form, or API endpoint that invokes check_safe_sql_query. The filter bypass allows the statement to reach the MySQL engine, which - if the Frappe database user holds the FILE privilege - writes the query output to a server path chosen by the attacker, such as a web-accessible directory. …
Remediation Upgrade Frappe to version 16.18.3 (v16 branch) or 15.108.0 (v15 branch), both of which resolve the check_safe_sql_query bypass; release artifacts are available at https://github.com/frappe/frappe/releases/tag/v16.18.3 and https://github.com/frappe/frappe/releases/tag/v15.108.0, with underlying fixes landed via PRs #39345 and #39346 (commits 628e103f and 91d3ded0). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Frappe

View all
CVE-2025-67289 CRITICAL POC
9.6 Dec 22

Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on

CVE-2026-39352 HIGH POC
8.7 May 20

Arbitrary file read in the Frappe full-stack web application framework allows remote unauthenticated attackers to retrie

CVE-2025-56381 MEDIUM POC
6.5 Oct 02

ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportv

CVE-2025-56380 MEDIUM POC
6.5 Oct 02

Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the fra

CVE-2025-52048 MEDIUM POC
6.5 Sep 15

In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py

CVE-2022-41712 MEDIUM POC
6.5 Nov 25

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. Rated medium severity (CVSS

CVE-2019-15700 MEDIUM POC
6.1 Aug 27

public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and

CVE-2026-31877 CRITICAL
9.8 Mar 11

SQL injection in Frappe framework before 15.84.0/14.99.0.

CVE-2019-14965 CRITICAL
9.8 Aug 12

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. Rated critical severity (CVSS 9.8), this vulner

CVE-2025-56379 MEDIUM POC
5.4 Oct 02

A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execu

CVE-2026-35614 CRITICAL
9.3 Apr 07

SQL injection in Frappe's bulk_update function enables unauthenticated remote attackers to execute arbitrary SQL command

CVE-2025-65267 CRITICAL
9.0 Dec 03

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to

Share

CVE-2026-47199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy