Skip to main content

Frappe Framework EUVDEUVD-2026-43106

| CVE-2026-42219 MEDIUM
Path Traversal (CWE-22)
2026-07-10 GitHub_M
6.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.9 MEDIUM

Network-accessible endpoint with low complexity, but PR:H required; confidentiality-only impact with no integrity or availability consequence and no scope change.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 23:02 EUVD
Analysis Generated
Jul 10, 2026 - 22:21 vuln.today

DescriptionCVE.org

Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via download_backups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0.

AnalysisAI

Path traversal via the download_backups endpoint in Frappe framework exposes arbitrary server-side files to authenticated high-privilege users. Affected versions span the entire v15 branch prior to 15.109.0 and the v16 branch prior to 16.19.0 (CPE: cpe:2.3:a:frappe:frappe:*). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Frappe admin credentials
Delivery
Authenticate to Frappe desk interface
Exploit
Submit crafted download_backups request with traversal payload
Execution
Bypass absent path validation
Impact
Read arbitrary files from server filesystem

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a Frappe administrator account (PR:H); standard or guest Frappe user roles are insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 with vector AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N reflects a real but constrained risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained Frappe administrator credentials - whether through phishing, credential stuffing, or a prior compromise - authenticates to the Frappe desk and issues a crafted request to the download_backups endpoint using a path traversal sequence (e.g., filename=../../.env or filename=../../../etc/shadow) to retrieve files outside the backup directory. The server, lacking canonical path validation, resolves and returns the requested file, potentially exposing database credentials, secret keys, or OS-level sensitive files that enable further system compromise.
Remediation Upgrade Frappe to version 16.19.0 (v16 branch) or 15.109.0 (v15 branch); these are the vendor-confirmed fixed releases per GitHub advisory GHSA-w4p4-fp9m-47gj (https://github.com/frappe/frappe/security/advisories/GHSA-w4p4-fp9m-47gj). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Frappe

View all
CVE-2025-67289 CRITICAL POC
9.6 Dec 22

Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on

CVE-2026-39352 HIGH POC
8.7 May 20

Arbitrary file read in the Frappe full-stack web application framework allows remote unauthenticated attackers to retrie

CVE-2025-56381 MEDIUM POC
6.5 Oct 02

ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportv

CVE-2025-56380 MEDIUM POC
6.5 Oct 02

Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the fra

CVE-2025-52048 MEDIUM POC
6.5 Sep 15

In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py

CVE-2022-41712 MEDIUM POC
6.5 Nov 25

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. Rated medium severity (CVSS

CVE-2019-15700 MEDIUM POC
6.1 Aug 27

public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and

CVE-2026-31877 CRITICAL
9.8 Mar 11

SQL injection in Frappe framework before 15.84.0/14.99.0.

CVE-2019-14965 CRITICAL
9.8 Aug 12

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. Rated critical severity (CVSS 9.8), this vulner

CVE-2025-56379 MEDIUM POC
5.4 Oct 02

A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execu

CVE-2026-35614 CRITICAL
9.3 Apr 07

SQL injection in Frappe's bulk_update function enables unauthenticated remote attackers to execute arbitrary SQL command

CVE-2025-65267 CRITICAL
9.0 Dec 03

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to

Share

EUVD-2026-43106 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy