Back to overview

CVE-2026-55852

HIGH
8.6
CVSS 4.0
Description
Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0.

Metadata

CVE ID
CVE-2026-55852
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-17 16:44 UTC
Published
2026-07-10 21:28 UTC
Last updated
2026-07-10 21:28 UTC
Primary CWE
CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product
frappe / frappe
Sources
cve.org  ·  NVD

Severity & Metrics

8.6 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
frappe frappe < 15.112.0, >= 16.0.0-beta.1, < 16.23.0
Weakness (CWE)
CWESourceDescription
CWE-22 cna CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.6 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References (9)
Back to overview