Frappe has an Arbitrary File Read via Path Traversal in...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.

AI Analysis

Arbitrary File Read via Path Traversal vulnerability

Basic Information

ID CVE-2026-39352

Source GitHub_M

Published May 20, 2026 at 19:27

Affected Product

Vendor frappe

Product frappe

Version < 15.105.0

Affected Versions frappe frappe < 15.105.0
frappe frappe >= 15.106.0, < 16.15.0

CWE Classification

CWE-22

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Frappe

Product Frappe Framework

Version < 15.105.0, < 16.15.0

References

{
    "lastseen": "",
    "description": "Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.",
    "published": "2026-05-20T19:27:01.543Z",
    "modified": "2026-05-20T19:27:01.543Z",
    "type": "cve",
    "title": "Frappe has an Arbitrary File Read via Path Traversal in render_include",
    "source": "GitHub_M",
    "references": "https://github.com/frappe/frappe/security/advisories/GHSA-67rf-pxgh-vfqv\nhttps://github.com/frappe/frappe/releases/tag/v16.15.0",
    "id": "CVE-2026-39352",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "frappe frappe < 15.105.0\nfrappe frappe >= 15.106.0, < 16.15.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "frappe",
    "version": "< 15.105.0",
    "vendor": "frappe",
    "ai_description": "Arbitrary File Read via Path Traversal vulnerability",
    "ai_severity": "High",
    "ai_vendor": "Frappe",
    "ai_product": "Frappe Framework",
    "ai_version": "< 15.105.0, < 16.15.0",
    "ai_score": 8.7
}

Frappe has an Arbitrary File Read via Path Traversal in render_include_CVE-2026-39352