Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible API requires a low-privilege authenticated session (PR:L); scope unchanged, integrity impact limited to unauthorized file attachment, no confidentiality or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API endpoints such as add_attachments. This issue is fixed in versions 16.20.0 and 15.110.0.
AnalysisAI
Unauthorized file attachment in Frappe, a Python/JavaScript full-stack web framework, allows any authenticated low-privilege user to attach files to arbitrary doctypes through file-handling API endpoints such as add_attachments, bypassing per-document write permission enforcement. Affected are all Frappe v15 releases prior to 15.110.0 and all v16 releases prior to 16.20.0. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid, authenticated Frappe user session - the CVSS 4.0 PR:L metric confirms a low-privilege account suffices and unauthenticated access does not apply. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N scores this at 5.3 (Medium), consistently reflecting a network-reachable, low-complexity flaw exploitable by any authenticated user with no additional prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Frappe user holding read-only access to a sensitive DocType - such as a payroll record or a confidential customer file in an ERPNext deployment - crafts a direct API call to the add_attachments endpoint, supplying the target DocType name and document ID along with a chosen file. Because the endpoint does not verify write permission before persisting the attachment, the file is recorded against the document despite the caller's insufficient privilege level. … |
| Remediation | Upgrade Frappe to version 16.20.0 or later on the v16 branch, or to version 15.110.0 or later on the v15 branch; these are vendor-confirmed patched releases per https://github.com/frappe/frappe/releases/tag/v16.20.0 and https://github.com/frappe/frappe/releases/tag/v15.110.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on
Arbitrary file read in the Frappe full-stack web application framework allows remote unauthenticated attackers to retrie
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportv
Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the fra
In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py
Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. Rated medium severity (CVSS
public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and
SQL injection in Frappe framework before 15.84.0/14.99.0.
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. Rated critical severity (CVSS 9.8), this vulner
A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execu
SQL injection in Frappe's bulk_update function enables unauthenticated remote attackers to execute arbitrary SQL command
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43104