๐Ÿ” CVE Alert

CVE-2026-42219

UNKNOWN 0.0

Frappe: Path Traversal via /backups Route

CVSS Score
0.0
EPSS Score
0.5%
EPSS Percentile
37th

Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via download_backups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0.

CWE CWE-22
Vendor frappe
Product frappe
Published Jul 10, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for frappe frappe

Be the first to know when new unknown vulnerabilities affecting frappe frappe are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

frappe / frappe
< 15.109.0 >= 16.0.0-beta.1, < 16.19.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/frappe/frappe/security/advisories/GHSA-w4p4-fp9m-47gj github.com: https://github.com/frappe/frappe/pull/38740 github.com: https://github.com/frappe/frappe/pull/39402 github.com: https://github.com/frappe/frappe/pull/39403 github.com: https://github.com/frappe/frappe/commit/4358f5bd449710027724a1679950d4ea65da6dcc github.com: https://github.com/frappe/frappe/commit/a470a1189132984635e2ec148f87de5232f5535d github.com: https://github.com/frappe/frappe/commit/a562ef2a5a3885895b9f9cf14d5a53e32e52d326 github.com: https://github.com/frappe/frappe/releases/tag/v15.109.0 github.com: https://github.com/frappe/frappe/releases/tag/v16.19.0