CVE-2026-42219
Severity CVSS v4.0:
MEDIUM
Type:
CWE-22
Path Traversal
Publication date:
10/07/2026
Last modified:
10/07/2026
Description
Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via download_backups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0.
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/frappe/frappe/commit/4358f5bd449710027724a1679950d4ea65da6dcc
- https://github.com/frappe/frappe/commit/a470a1189132984635e2ec148f87de5232f5535d
- https://github.com/frappe/frappe/commit/a562ef2a5a3885895b9f9cf14d5a53e32e52d326
- https://github.com/frappe/frappe/pull/38740
- https://github.com/frappe/frappe/pull/39402
- https://github.com/frappe/frappe/pull/39403
- https://github.com/frappe/frappe/releases/tag/v15.109.0
- https://github.com/frappe/frappe/releases/tag/v16.19.0
- https://github.com/frappe/frappe/security/advisories/GHSA-w4p4-fp9m-47gj



