CVE-2026-55852
8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| frappe | frappe | < 15.112.0 | affected |
| frappe | frappe | >= 16.0.0-beta.1, < 16.23.0 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
References
- https://github.com/frappe/frappe/security/advisories/GHSA-58w2-4cjg-hvp6
- https://github.com/frappe/frappe/pull/38716
- https://github.com/frappe/frappe/pull/40044
- https://github.com/frappe/frappe/pull/40045
- https://github.com/frappe/frappe/commit/3c75f13fd7d4441a880dd236450277dc37fcddfd
- https://github.com/frappe/frappe/commit/4772e3e7f72db43d48137af74fa77e5fce903223
- https://github.com/frappe/frappe/commit/57e527d933aeffaec0cd735838701792c848e3e7
- https://github.com/frappe/frappe/releases/tag/v15.112.0
- https://github.com/frappe/frappe/releases/tag/v16.23.0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.