Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.
Loading...
Loading...
This high-severity CVE scores 8.7 under NVD CVSS v3. EPSS exploit probability: 1.1%, top 38% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.
May 20, 2026
May 21, 2026
Patch available: frappe/frappe v16.15.0
https://github.com/frappe/frappe/releases/tag/v16.15.0MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Working exploit code is in the public domain. Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
Frappe Framework < 16.15.0 - Arbitrary File Read via render_include Path Traversal
Open source ↗Explore the affected products and dependency analysis for CVE-2026-39352
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.