Lucene search
K

983 matches found

Nuclei
Nuclei
added 7 hours ago42 views

Frappe Framework < 16.15.0 - Arbitrary File Read via render_include Path Traversal

Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above. id: CVE-2026-39352 info: name: Frappe Framework 16.15.0 - Arbitrary File...

8.7CVSS6.1AI score0.01279EPSS
Exploits0References4
NVD
NVD
added 4 days ago7 views

CVE-2026-58503

Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the resetpassword endpoint. This issue is fixed in versions 16.16.0 and 15.106.0...

6.9CVSS0.00354EPSS
Exploits0References7
NVD
NVD
added 4 days ago8 views

CVE-2026-55852

Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0...

8.6CVSS0.00457EPSS
Exploits0References9
NVD
NVD
added 4 days ago9 views

CVE-2026-49394

Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the updatepage endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0...

7.1CVSS0.00307EPSS
Exploits0References6
NVD
NVD
added 4 days ago7 views

CVE-2026-48127

Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API endpoints such as addattachments. This issue is fixed in versions 16.20.0 and 15.110.0...

5.3CVSS0.00369EPSS
Exploits0References9
NVD
NVD
added 4 days ago6 views

CVE-2026-47422

Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been fixed. This vulnerability is fixed in 15.107.5 and 16.18.2...

5.3CVSS0.00278EPSS
Exploits0References1
NVD
NVD
added 4 days ago5 views

CVE-2026-47199

Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, checksafesqlquery permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites if database permissions are not well aligned and MySQL FILE privileges are available. This issue is fixed in...

2.3CVSS0.00401EPSS
Exploits0References7
NVD
NVD
added 4 days ago7 views

CVE-2026-42219

Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via downloadbackups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0...

6.9CVSS0.00457EPSS
Exploits0References9
NVD
NVD
added 4 days ago8 views

CVE-2026-41482

Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in the Chrome PDF Generator. This issue is fixed in version 16.18.3...

7.1CVSS0.00338EPSS
Exploits0References6
CVE
CVE
added 4 days ago10 views

CVE-2026-55852

Technical details are not publicly available in the provided documents. Monitor for updates.

8.6CVSS6.1AI score0.00457EPSS
Exploits0References9
Cvelist
Cvelist
added 4 days ago30 views

CVE-2026-55852 Frappe: TarSlip RCE in Package Import

Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0...

8.6CVSS0.00457EPSS
Exploits0References9
OSV
OSV
added 4 days ago2 views

CVE-2026-55852 Frappe: TarSlip RCE in Package Import

Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0...

8.6CVSS6.1AI score0.00457EPSS
Exploits0References11
OSV
OSV
added 4 days ago3 views

CVE-2026-42219 Frappe: Path Traversal via /backups Route

Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via downloadbackups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0...

6.9CVSS6.1AI score0.00457EPSS
Exploits0References11
CVE
CVE
added 4 days ago9 views

CVE-2026-42219

Frappe CVE-2026-42219 describes a path traversal vulnerability via the /backups route in the web framework. Affected versions are prior to 16.19.0 and 15.109.0, where insufficient hardening allowed path traversal during backups download. The issue is fixed in 16.19.0 and 15.109.0 releases. CVSS m...

6.9CVSS6.1AI score0.00457EPSS
Exploits0References9
Cvelist
Cvelist
added 4 days ago30 views

CVE-2026-42219 Frappe: Path Traversal via /backups Route

Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via downloadbackups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0...

6.9CVSS0.00457EPSS
Exploits0References9
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-49394 Frappe: Auth. bypass via update_page

Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the updatepage endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0...

7.1CVSS0.00307EPSS
Exploits0References6
CVE
CVE
added 4 days ago13 views

CVE-2026-49394

Frappe CVE-2026-49394: Before version 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because the Workspace Manager edit check was not enforced for public workspaces. The issue is fixed in 16.19.0. The CVSS metrics indicate a NETWORK attack vector, LOW access ...

7.1CVSS6.1AI score0.00307EPSS
Exploits0References6
OSV
OSV
added 4 days ago4 views

CVE-2026-49394 Frappe: Auth. bypass via update_page

Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the updatepage endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0...

7.1CVSS6.1AI score0.00307EPSS
Exploits0References8
CVE
CVE
added 4 days ago9 views

CVE-2026-48127

Frappe CVE-2026-48127 concerns an attacker could exploit attachment handling to inject arbitrary attachments in Doctypes. Specifically, prior to version 16.20.0 and 15.110.0, users without write access could attach files to any doctype via file-handling endpoints such as add_attachments. The issu...

5.3CVSS6.1AI score0.00369EPSS
Exploits0References9
Cvelist
Cvelist
added 4 days ago29 views

CVE-2026-48127 Frappe: Arbitrary Attachment Injection via add_attachments and upload_file

Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API endpoints such as addattachments. This issue is fixed in versions 16.20.0 and 15.110.0...

5.3CVSS0.00369EPSS
Exploits0References9
Rows per page
Query Builder