CVE-2026-39352
Description
Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Frappe prior to 15.105.0 and 16.15.0 has a path traversal vulnerability allowing arbitrary file read.
Vulnerability
A path traversal vulnerability exists in Frappe framework versions prior to 15.105.0 and 16.15.0, allowing arbitrary file read. The issue is in the handling of file paths, enabling an attacker to read files outside the intended directory. Affected versions: <15.105.0 and <16.15.0 [1][2].
Exploitation
An attacker may exploit this by sending a specially crafted request with path traversal sequences (e.g., ../) to access arbitrary files on the server. No authentication is explicitly mentioned, but given the nature of Frappe, it may require network access to the application [2].
Impact
Successful exploitation allows an attacker to read arbitrary files on the server, potentially exposing sensitive information such as configuration files, source code, or credentials. This could lead to further compromise [2].
Mitigation
The vulnerability is fixed in Frappe versions 15.105.0 and 16.15.0 [1][2]. All users must upgrade to these versions or later. No workarounds are available [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.