Which versions of Frappe Framework are affected by EUVD-2026-31178?

Frappe framework versions prior to 15.105.0 and 16.15.0 are vulnerable to unauthenticated path traversal attacks that allow remote adversaries to read arbitrary files, including credentials and…. A patch is available.

Frappe Framework EUVD-2026-31178

Q: What is the CVSS score of EUVD-2026-31178?

EUVD-2026-31178 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-39352 HIGH

Path Traversal (CWE-22)

2026-05-20 GitHub_M

Path Traversal

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 20, 2026 - 21:32 EUVD

Source Code Evidence Fetched

May 20, 2026 - 20:31 vuln.today

Analysis Generated

May 20, 2026 - 20:31 vuln.today

CVSS changed

May 20, 2026 - 20:22 NVD

8.7 (HIGH)

DescriptionNVD

Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.

AnalysisAI

Arbitrary file read in the Frappe full-stack web application framework allows remote unauthenticated attackers to retrieve files outside intended directories via path traversal sequences in affected versions prior to 15.105.0 and 16.15.0. The CVSS 4.0 base score of 8.7 reflects high confidentiality impact with no required privileges or user interaction, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV. …

RemediationAI

Within 24 hours: Audit all Frappe installations to identify versions prior to 15.105.0 and 16.15.0; prioritize internet-exposed instances. Within 7 days: Implement web application firewall rules blocking path traversal sequences (../, encoded variants); restrict file system permissions on sensitive configuration files (site_config.json, etc.); rotate all credentials (database passwords, API keys, encryption keys). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-31178 vulnerability details – vuln.today

Back

Frappe Framework EUVD-2026-31178

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Frappe Framework EUVD-2026-31178

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code