PT-2026-42259 · Frappe+1 · Frappe+1
Pucagit
·
Published
2026-05-20
·
Updated
2026-05-25
·
CVE-2026-39352
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Frappe versions prior to 15.105.0
Frappe versions prior to 16.15.0
Description
Frappe, a full-stack web application framework, contains a path traversal issue that may allow unauthenticated arbitrary file read on internet-facing surfaces, such as ERPNext. Over 115,700 potentially affected devices have been identified worldwide. Path traversal is a technique where an attacker uses special characters to access files and directories outside the intended folder.
Recommendations
Update to version 15.105.0 or above.
Update to version 16.15.0 or above.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Erpnext
Frappe