CVE-2026-39352
published 2026-05-20CVE-2026-39352: Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path…
PriorityP264high8.7CVSS 4.0
AVNACLATNPRNUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.28%
66.4th percentile
Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frappe | frappe | < 15.105.0 | 15.105.0 |
| frappe | frappe | — | — |
Detection & IOCsextracted from sources · hover to see the quote
pathfrappe/../../../../../../../../../../etc/passwd
url/api/method/frappe.desk.query_report.get_script
yara
rule CVE_2026_39352_frappe_path_traversal { strings: $traversal = "frappe/../../../../../../../../../../etc/passwd" $include = "{% include" condition: $traversal and $include }sigma
title: Frappe CVE-2026-39352 Path Traversal File Read
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains: 'get_script'
cs-uri-stem|contains: '/api/method/frappe.desk.query_report.get_script'
condition: selection- →The exploit requires authentication. The attacker first POSTs credentials to /api/method/login and checks for 'Logged In' in the response body before proceeding.
- →The attacker creates a malicious Script Report via POST /api/resource/Report with a javascript field containing a Jinja {% include %} directive using a path traversal sequence (frappe/../../../../../../../../../../etc/passwd) to read arbitrary files.
- →File read output is retrieved via GET /api/method/frappe.desk.query_report.get_script?report_name=<report>. A successful exploit returns HTTP 200 with application/json content-type and the body matches the regex 'root:.*:0:0:' (contents of /etc/passwd).
- →The attacker cleans up by issuing DELETE /api/resource/Report/<report_name>. A successful cleanup returns HTTP 202 with JSON body containing 'data' and 'ok'.
- →Shodan and FOFA fingerprints for exposed Frappe instances: Shodan query 'http.title:"Login" http.html:"frappe"'; FOFA query 'title="Login" && body="frappe"'.
- →The vulnerability is in the render_include functionality. The path traversal payload anchors to the 'frappe/' prefix before traversing upward, suggesting the sandbox check can be bypassed by starting within the frappe app directory.
- ·The exploit is authenticated (requires valid Frappe credentials). The nuclei template uses {{username}} and {{password}} variables, meaning unauthenticated scanning is not possible.
- ·Affected versions are Frappe < 15.105.0 (v15 branch) and < 16.15.0 (v16 branch). The fix is in commits merged into 16.15.0 and 15.105.0. ↗
- ·The exploit flow requires exactly 4 HTTP requests in sequence (login → create report → fetch script → delete report). Detection logic should correlate all four steps from the same source IP.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Frappe Framework < 16.15.0 - Arbitrary File Read via render_include Path Traversal
nuclei·CVSS 8.7
CVE-2026-39352 [HIGH] Frappe Framework < 16.15.0 - Arbitrary File Read via render_include Path Traversal
Frappe Framework < 16.15.0 - Arbitrary File Read via render_include Path Traversal
Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.
Template:
id: CVE-2026-39352
info:
name: Frappe Framework < 16.15.0 - Arbitrary File Read via render_include Path Traversal
author: DhiyaneshDK
severity: medium
description: |
Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.
impact: |
Attackers can read arbitrary files, potentially exposing sensitive informatio
No writeups or analysis indexed.
2026-05-20
Published