Skip to main content

Frappe EUVDEUVD-2026-43107

| CVE-2026-55852 HIGH
Path Traversal (CWE-22)
2026-07-10 GitHub_M
8.6
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.2 HIGH

Network-reachable import feature (AV:N/AC:L/UI:N) but requires admin-level import rights (PR:H); arbitrary file write yields full C/I/A on the host with no scope change.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 23:02 EUVD
Analysis Generated
Jul 10, 2026 - 21:52 vuln.today

DescriptionCVE.org

Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0.

AnalysisAI

Arbitrary file write leading to remote code execution in the Frappe framework (versions prior to 15.112.0 and 16.23.0) allows a privileged user to abuse the Package Import feature, where tarfile members are extracted without adequate path validation (a TarSlip / path-traversal flaw, CWE-22). An attacker who can upload a crafted package tarball can write files outside the intended extraction directory to overwrite application files and achieve code execution as the Frappe service account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain System Manager / import privilege
Delivery
Craft tar with traversal member paths
Exploit
Submit archive to Package Import
Execution
Members extracted outside target dir
Persist
Overwrite executed module or hook
Impact
Code execution as Frappe service account

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to have access to the Frappe Package Import feature, which is an administrative/System Manager-level capability - reflected as PR:H in the CVSS vector - so this is not anonymously exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H) scores 8.6 (High): network-reachable, low complexity, no user interaction, full confidentiality/integrity/availability impact on the vulnerable system - but it requires high privileges (PR:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user holding Package Import (System Manager-level) rights on a shared or multi-tenant Frappe/ERPNext instance uploads a specially crafted package tarball whose member names contain path-traversal sequences. During extraction the malicious member is written outside the intended directory, overwriting a Python module or hook that Frappe subsequently loads, giving the attacker code execution as the Frappe service account. …
Remediation Vendor-released patch: upgrade to Frappe 15.112.0 (15.x line) or 16.23.0 (16.x line), which add proper validation of tar member paths before extraction; ERPNext and other Frappe-based apps should be updated to bundle a fixed framework version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Frappe instances and their versions; audit access to package import functionality; restrict access to named, essential administrators. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Frappe

View all
CVE-2025-67289 CRITICAL POC
9.6 Dec 22

Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on

CVE-2026-39352 HIGH POC
8.7 May 20

Arbitrary file read in the Frappe full-stack web application framework allows remote unauthenticated attackers to retrie

CVE-2025-56381 MEDIUM POC
6.5 Oct 02

ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportv

CVE-2025-56380 MEDIUM POC
6.5 Oct 02

Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the fra

CVE-2025-52048 MEDIUM POC
6.5 Sep 15

In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py

CVE-2022-41712 MEDIUM POC
6.5 Nov 25

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. Rated medium severity (CVSS

CVE-2019-15700 MEDIUM POC
6.1 Aug 27

public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and

CVE-2026-31877 CRITICAL
9.8 Mar 11

SQL injection in Frappe framework before 15.84.0/14.99.0.

CVE-2019-14965 CRITICAL
9.8 Aug 12

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. Rated critical severity (CVSS 9.8), this vulner

CVE-2025-56379 MEDIUM POC
5.4 Oct 02

A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execu

CVE-2026-35614 CRITICAL
9.3 Apr 07

SQL injection in Frappe's bulk_update function enables unauthenticated remote attackers to execute arbitrary SQL command

CVE-2025-65267 CRITICAL
9.0 Dec 03

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to

Share

EUVD-2026-43107 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy