CVE-2026-55852
Frappe · Frappe
The Frappe framework is vulnerable to path traversal, which could allow an authenticated high-privileged user to access or manipulate restricted files on the server.
Executive summary
A high-severity path traversal vulnerability in the Frappe framework allows authenticated high-privileged users to compromise system files.
Vulnerability
This vulnerability (CWE-22) is caused by improper limitation of pathnames to restricted directories. An attacker with high-level privileges can traverse the filesystem to access files outside of the intended application directory.
Business impact
Exploitation of this path traversal flaw could lead to full system compromise, including the retrieval of sensitive configuration files or the overwriting of critical system components. With a CVSS score of 8.6, this vulnerability represents a severe threat to infrastructure integrity and security.
Remediation
Immediate Action: Update the Frappe framework to version 15.112.0 or 16.23.0 immediately to include the necessary path validation fixes.
Proactive Monitoring: Audit server file system access logs for suspicious traversal patterns (e.g., ../../) originating from administrative accounts.
Compensating Controls: Ensure the application runs with the principle of least privilege, restricting the filesystem access of the web server process to only the necessary directories.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the potential for high-level system impact, it is imperative to apply the provided patches to the Frappe framework. Administrators should prioritize upgrading to the patched versions to prevent unauthorized file access and potential escalation of privileges.