Back to overview

CVE-2026-47199

LOW
2.3
CVSS 4.0
Description
Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, check_safe_sql_query permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites if database permissions are not well aligned and MySQL FILE privileges are available. This issue is fixed in versions 16.18.3 and 15.108.0.

Metadata

CVE ID
CVE-2026-47199
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-18 22:07 UTC
Published
2026-07-10 21:14 UTC
Last updated
2026-07-10 21:14 UTC
Primary CWE
CWE-89
CWE-89: Improper Neutralization of Special Elements used in …
Vendor / Product
frappe / frappe
Sources
cve.org  ·  NVD

Severity & Metrics

2.3 LOW CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
frappe frappe < 15.108.0, >= 16.0.0-beta.1, < 16.18.3
Weakness (CWE)
CWESourceDescription
CWE-89 cna CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
2.3 LOW 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
References (7)
Back to overview