Description
Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.
Published: 2026-05-20
Score: 8.7 High
EPSS: 3.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from a path traversal flaw in Frappe's render_include function, which allows an attacker to read files outside the intended directory. By supplying specially crafted input, a malicious user could access arbitrary files on the server, potentially exposing sensitive configuration, credentials, or code. The issue is classified as CWE-22 and results in a data exposure risk for any application using the affected Frappe framework.

Affected Systems

Frappe, the open‑source full‑stack web application framework, is affected for all releases before 15.105.0 and before 16.15.0. The remedial releases are 15.105.0 and 16.15.0 or later.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating high severity. The EPSS score indicates a 3% likelihood of exploitation, and the flaw is not listed in CISA's KEV catalog. Attackers would need to reach the vulnerable render_include endpoint. Based on the description, it is inferred that reaching the endpoint may involve accessing specific URLs or form submissions. The likely attack vector is through crafted URLs or input that trigger the render_include function. If the endpoint were publicly accessible, the path traversal could be triggered without authentication, making exploitation straightforward.

Generated by OpenCVE AI on May 28, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Frappe to version 16.15.0 or later, or 15.105.0 or later to apply the vendor fix.
  • Restrict access to the render_include functionality so that only trusted code or internal users can invoke it, and apply input validation to reject paths containing '..' or other traversal sequences.
  • Verify that any user supplied file names are fully sanitized and confined to a safe, whitelisted directory before inclusion.

Generated by OpenCVE AI on May 28, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.
Title Frappe has an Arbitrary File Read via Path Traversal in render_include
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-21T14:25:31.245Z

Reserved: 2026-04-06T20:28:38.394Z

Link: CVE-2026-39352

cve-icon Vulnrichment

Updated: 2026-05-21T14:20:39.556Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T20:16:39.537

Modified: 2026-05-21T15:24:25.330

Link: CVE-2026-39352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T15:30:05Z

Weaknesses