PatchSiren cyber security CVE debrief
CVE-2026-39352 frappe CVE debrief
CVE-2026-39352 is a high-severity path traversal issue in Frappe that can lead to arbitrary file read. According to the published advisory material, versions prior to 15.105.0 and 16.15.0 are affected, and the issue is resolved in 15.105.0 and 16.15.0. Because the weakness is classified as CWE-22 and the CVSS score is 8.7, this should be treated as a priority patching item for any exposed or internally reachable Frappe deployment.
- Vendor
- frappe
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Security teams, Frappe application owners, platform administrators, and operations teams responsible for internet-facing or sensitive internal Frappe instances should review this immediately. Any environment that stores credentials, configuration files, or other sensitive local files on the same host is especially relevant because arbitrary file read can expose secrets.
Technical summary
The CVE record and linked GitHub advisory indicate a path traversal condition in Frappe that can be used to read arbitrary files. NVD maps the weakness to CWE-22. The affected version ranges are before 15.105.0 and before 16.15.0, with remediation available in 15.105.0 and 16.15.0 respectively. No exploit details are provided here beyond the published vulnerability class and impact.
Defensive priority
High. The combination of network reachability, no user interaction, arbitrary file read impact, and a CVSS 8.7 score makes this a strong patch-now candidate. Prioritize any production, exposed, or multi-tenant Frappe installations, and validate whether sensitive local files could be accessed if the issue were abused.
Recommended defensive actions
- Upgrade Frappe to 16.15.0 or later, or to 15.105.0 or later on the 15.x branch.
- Inventory all Frappe deployments and identify versions below the fixed releases.
- Review access to any exposed Frappe endpoints and restrict network reachability where possible until upgrades are complete.
- Check for sensitive files on affected hosts that would increase the impact of arbitrary file read.
- Monitor vendor and project advisories for any additional guidance or follow-up fixes.
Evidence notes
The CVE description states that Frappe versions prior to 15.105.0 and 16.15.0 contain a possible arbitrary file read vulnerability via path traversal, and that the issue is resolved in 16.15.0 and 15.105.0 and above. NVD marks the vulnerability status as Received and maps the weakness to CWE-22. The provided official references are the Frappe 16.15.0 release tag and the GitHub Security Advisory GHSA-67rf-pxgh-vfqv.
Official resources
Published 2026-05-20T20:16:39.537Z and modified the same day in the supplied CVE/NVD record.