CVE-2026-47199
Severity CVSS v4.0:
LOW
Type:
CWE-89
SQL Injection
Publication date:
10/07/2026
Last modified:
10/07/2026
Description
Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, check_safe_sql_query permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites if database permissions are not well aligned and MySQL FILE privileges are available. This issue is fixed in versions 16.18.3 and 15.108.0.
Impact
Base Score 4.0
2.30
Severity 4.0
LOW
References to Advisories, Solutions, and Tools
- https://github.com/frappe/frappe/commit/628e103f7ffe307447d9fc9e2c572cbddedfa3b5
- https://github.com/frappe/frappe/commit/91d3ded038d1c901b73f4a2293e134d691c1662d
- https://github.com/frappe/frappe/pull/39345
- https://github.com/frappe/frappe/pull/39346
- https://github.com/frappe/frappe/releases/tag/v15.108.0
- https://github.com/frappe/frappe/releases/tag/v16.18.3
- https://github.com/frappe/frappe/security/advisories/GHSA-wx8j-cw4r-vrhv



