cbcvebase.
CVE-2026-39352
published 2026-05-20

CVE-2026-39352: Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path…

PriorityP264high8.7CVSS 4.0
AVNACLATNPRNUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.28%
66.4th percentile
Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.

Affected

2 ranges
VendorProductVersion rangeFixed in
frappefrappe< 15.105.015.105.0
frappefrappe

Detection & IOCsextracted from sources · hover to see the quote

pathfrappe/../../../../../../../../../../etc/passwd
url/api/method/frappe.desk.query_report.get_script
yara
rule CVE_2026_39352_frappe_path_traversal { strings: $traversal = "frappe/../../../../../../../../../../etc/passwd" $include = "{% include" condition: $traversal and $include }
sigma
title: Frappe CVE-2026-39352 Path Traversal File Read
logsource:
  category: webserver
detection:
  selection:
    cs-uri-query|contains: 'get_script'
    cs-uri-stem|contains: '/api/method/frappe.desk.query_report.get_script'
  condition: selection
  • The exploit requires authentication. The attacker first POSTs credentials to /api/method/login and checks for 'Logged In' in the response body before proceeding.
  • The attacker creates a malicious Script Report via POST /api/resource/Report with a javascript field containing a Jinja {% include %} directive using a path traversal sequence (frappe/../../../../../../../../../../etc/passwd) to read arbitrary files.
  • File read output is retrieved via GET /api/method/frappe.desk.query_report.get_script?report_name=<report>. A successful exploit returns HTTP 200 with application/json content-type and the body matches the regex 'root:.*:0:0:' (contents of /etc/passwd).
  • The attacker cleans up by issuing DELETE /api/resource/Report/<report_name>. A successful cleanup returns HTTP 202 with JSON body containing 'data' and 'ok'.
  • Shodan and FOFA fingerprints for exposed Frappe instances: Shodan query 'http.title:"Login" http.html:"frappe"'; FOFA query 'title="Login" && body="frappe"'.
  • The vulnerability is in the render_include functionality. The path traversal payload anchors to the 'frappe/' prefix before traversing upward, suggesting the sandbox check can be bypassed by starting within the frappe app directory.
  • ·The exploit is authenticated (requires valid Frappe credentials). The nuclei template uses {{username}} and {{password}} variables, meaning unauthenticated scanning is not possible.
  • ·Affected versions are Frappe < 15.105.0 (v15 branch) and < 16.15.0 (v16 branch). The fix is in commits merged into 16.15.0 and 15.105.0.
  • ·The exploit flow requires exactly 4 HTTP requests in sequence (login → create report → fetch script → delete report). Detection logic should correlate all four steps from the same source IP.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.