Skip to main content

Frappe Framework EUVDEUVD-2026-43103

| CVE-2026-41482 HIGH
Path Traversal (CWE-22)
2026-07-10 GitHub_M
7.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Remotely reachable low-complexity request needing a low-privilege authenticated account (PR:L); path traversal yields high confidentiality file disclosure only, so I:N/A:N and scope unchanged.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 10, 2026 - 23:02 EUVD
Analysis Generated
Jul 10, 2026 - 21:56 vuln.today
CVE Published
Jul 10, 2026 - 21:20 cve.org
HIGH 7.1

DescriptionCVE.org

Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in the Chrome PDF Generator. This issue is fixed in version 16.18.3.

AnalysisAI

Local file inclusion in the Frappe Framework's Chrome PDF Generator (versions prior to 16.18.3) allows an authenticated user to abuse the 'secure local resource access' mechanism to traverse the filesystem and read arbitrary local files on the server. The flaw is a CWE-22 path traversal disclosed via GitHub Security Advisory GHSA-234v-jfr8-v2f8 and carries a CVSS 4.0 base score of 7.1 (VC:H - confidentiality-only impact). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege user
Delivery
Craft template with traversal path
Exploit
Trigger Chrome PDF generation
Execution
Resolve path outside asset root
Persist
Read arbitrary local file into PDF
Impact
Exfiltrate server secrets

Vulnerability AssessmentAI

Exploitation Exploitation requires a Frappe instance prior to 16.18.3 that uses the Chrome PDF Generator for print/PDF rendering, and the attacker must hold a low-privilege authenticated account (CVSS PR:L) capable of invoking PDF generation or supplying/influencing an HTML template or local-resource path processed by the 'secure local resource access' feature. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) drives a base score of 7.1 (High): remotely reachable, low attack complexity, no user interaction, requiring only low-level authenticated privileges, and yielding high confidentiality impact with no integrity or availability effect - consistent with a file-read/LFI primitive rather than code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged authenticated user of a Frappe or ERPNext site crafts or edits a print format / HTML template that references a local resource using a traversal path (e.g., ../../../../etc/passwd or the site's site_config.json), then triggers PDF generation. The Chrome PDF Generator resolves the path outside the intended asset directory and embeds the target file's contents into the returned PDF, disclosing server secrets to the attacker. …
Remediation Vendor-released patch: upgrade Frappe Framework to version 16.18.3 or later, which contains the fix delivered through PRs https://github.com/frappe/frappe/pull/38643 and https://github.com/frappe/frappe/pull/39396 and commits 11066591ed7aa91a7b742f3f689277a90e620ce0 and 46841f7fde3954e1d3b3a7e248a6d6022343e657; the release is at https://github.com/frappe/frappe/releases/tag/v16.18.3 and details are in advisory GHSA-234v-jfr8-v2f8. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Frappe

View all
CVE-2025-67289 CRITICAL POC
9.6 Dec 22

Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on

CVE-2026-39352 HIGH POC
8.7 May 20

Arbitrary file read in the Frappe full-stack web application framework allows remote unauthenticated attackers to retrie

CVE-2025-56381 MEDIUM POC
6.5 Oct 02

ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportv

CVE-2025-56380 MEDIUM POC
6.5 Oct 02

Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the fra

CVE-2025-52048 MEDIUM POC
6.5 Sep 15

In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py

CVE-2022-41712 MEDIUM POC
6.5 Nov 25

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. Rated medium severity (CVSS

CVE-2019-15700 MEDIUM POC
6.1 Aug 27

public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and

CVE-2026-31877 CRITICAL
9.8 Mar 11

SQL injection in Frappe framework before 15.84.0/14.99.0.

CVE-2019-14965 CRITICAL
9.8 Aug 12

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. Rated critical severity (CVSS 9.8), this vulner

CVE-2025-56379 MEDIUM POC
5.4 Oct 02

A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execu

CVE-2026-35614 CRITICAL
9.3 Apr 07

SQL injection in Frappe's bulk_update function enables unauthenticated remote attackers to execute arbitrary SQL command

CVE-2025-65267 CRITICAL
9.0 Dec 03

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to

Share

EUVD-2026-43103 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy