๐Ÿ” CVE Alert

CVE-2026-48127

UNKNOWN 0.0

Frappe: Arbitrary Attachment Injection via add_attachments and upload_file

CVSS Score
0.0
EPSS Score
0.4%
EPSS Percentile
29th

Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API endpoints such as add_attachments. This issue is fixed in versions 16.20.0 and 15.110.0.

CWE CWE-862
Vendor frappe
Product frappe
Published Jul 10, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for frappe frappe

Be the first to know when new unknown vulnerabilities affecting frappe frappe are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

frappe / frappe
< 15.110.0 >= 16.0.0-beta.1, < 16.20.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/frappe/frappe/security/advisories/GHSA-fwrv-4rw4-97fw github.com: https://github.com/frappe/frappe/pull/39407 github.com: https://github.com/frappe/frappe/pull/39550 github.com: https://github.com/frappe/frappe/pull/39553 github.com: https://github.com/frappe/frappe/commit/4bf27db101c34bd542a760290fc0775efa5cd0e4 github.com: https://github.com/frappe/frappe/commit/b1c86042e6f85986f35365c80bb1d102ff1cd0e4 github.com: https://github.com/frappe/frappe/commit/fee1af6d89910f6b174fd094184060aeb641d07d github.com: https://github.com/frappe/frappe/releases/tag/v15.110.0 github.com: https://github.com/frappe/frappe/releases/tag/v16.20.0