Path Traversal in Frappe

CVE-2026-39352

Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.030 (86.9th percentile) — read the EPSS interpretation.

Affected products

Frappe — versions < 15.105.0, >= 15.106.0, < 16.15.0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_CONFIRM)