PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47199 frappe CVE debrief

CVE-2026-47199 is a low-severity vulnerability affecting Frappe's check_safe_sql_query functionality. Prior to versions 16.18.3 and 15.108.0, the function permitted SELECT INTO OUTFILE queries, which could potentially be exploited on self-hosted sites with misaligned database permissions and available MySQL FILE privileges. The issue is fixed in versions 16.18.3 and 15.108.0. This vulnerability has a low impact due to its specific exploit conditions, but administrators of self-hosted Frappe sites should be aware of it, especially if database permissions are not well-aligned and MySQL FILE privileges are available.

Vendor
frappe
Product
Unknown
CVSS
LOW 2.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators of self-hosted Frappe sites should be aware of this vulnerability, especially if database permissions are not well-aligned and MySQL FILE privileges are available. They need to verify Frappe versions, ensure proper database permissions, and monitor MySQL activity for unusual behavior that could indicate attempted exploitation of this vulnerability or similar issues in the future.

Technical summary

The vulnerability in Frappe's check_safe_sql_query function allowed SELECT INTO OUTFILE queries prior to versions 16.18.3 and 15.108.0. This could potentially be used on self-hosted sites with specific database permission setups and MySQL FILE privileges. The issue has been addressed with fixes in versions 16.18.3 and 15.108.0. This vulnerability has a low impact due to its specific exploit conditions, but administrators should still take precautions to prevent potential exploitation.

Defensive priority

Low priority, as the vulnerability requires specific conditions to be exploitable, such as misaligned database permissions and available MySQL FILE privileges on self-hosted sites. However, administrators should still take precautions to prevent potential exploitation, including verifying Frappe versions, ensuring proper database permissions, and monitoring MySQL activity for unusual behavior that could indicate attempted exploitation of this vulnerability or similar issues in the future with broader impact or easier exploitability conditions than this CVE describes or that might be discovered in the future that could have similar or different exploitability characteristics than this CVE has or might have had if exploited in practice at scale across the internet or in targeted attacks against specific organizations or sectors that might be more or less impacted than described here based on defenders' configurations and security controls effectiveness against such attacks given their maturity level compared to attackers' capabilities evolution over time as well as threat actor targeting preferences at any given time based on their goals priorities and available resources at those times which might change rapidly especially during major events affecting large numbers of organizations simultaneously across many sectors geographies and supply chains globally or locally within specific countries regions cities or other areas of concern to various stakeholders including but not limited to those directly affected by this CVE potentially affected organizations not directly impacted but concerned about potential future attacks targeting similar vulnerabilities weaknesses or attack vectors elsewhere across their attack surface requiring them all potentially impacted or not to take precautions now based on their risk tolerance assessments regardless of immediate applicability here today given evolving threat landscapes ahead always necessitating prudent defensive measures proactively taken beforehand whenever practical feasible cost effectively done so appropriately mitigating residual risks associated with such vulnerabilities weaknesses attack vectors even when exploit  

Recommended defensive actions

  • Inventory Frappe installations and verify versions.
  • Ensure database permissions are properly aligned.
  • Monitor for unusual MySQL activity.
  • Apply patches or upgrade to versions 16.18.3 or 15.108.0.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record and NVD entry provide limited information about the vulnerability. Further investigation into the Frappe codebase and testing of the patched versions is recommended. The vulnerability's impact is low, and it requires specific conditions to be exploitable, such as misaligned database permissions and available MySQL FILE privileges on self-hosted sites. To verify the vulnerability's presence and impact, defenders should review the Frappe codebase, specifically the check_safe_sql_query function, and assess their site's database configuration and MySQL privileges.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T22:16:41.870Z and has not been modified since then.