CVE-2026-42219 in Frappeinfo

Summary

by MITRE • 07/11/2026

Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via download_backups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The vulnerability in Frappe web application framework represents a critical path traversal flaw that could enable unauthorized access to sensitive system files through the download_backups functionality. This security weakness existed in versions prior to 16.19.0 and 15.109.0, where inadequate input validation and sanitization allowed attackers to manipulate file paths and potentially access restricted directories on the server. The flaw specifically impacted the backup download mechanism which should have been restricted to legitimate backup files but instead accepted arbitrary path parameters that could be exploited to traverse the file system. This type of vulnerability falls under CWE-22 Path Traversal and aligns with ATT&CK technique T1059 Command and Scripting Interpreter where attackers can manipulate application functions to access unintended resources.

The technical implementation of this vulnerability stems from insufficient parameter validation within the download_backups endpoint which failed to properly sanitize user-supplied input before using it in file system operations. Attackers could craft malicious requests containing directory traversal sequences such as ../ or ..\ that would bypass normal access controls and allow them to navigate to arbitrary locations on the server filesystem. The vulnerability essentially allowed an attacker to bypass intended access restrictions and potentially retrieve sensitive information including database credentials, configuration files, source code, and other confidential data stored outside of designated backup directories. This flaw represents a classic example of insecure direct object reference where the application directly uses user input to construct file paths without proper authorization checks.

The operational impact of this vulnerability extends beyond simple data theft to potentially enable complete system compromise if attackers can access critical system files or configuration data. Organizations running affected versions of Frappe could face unauthorized access to backup archives, application source code, database connection strings, and other sensitive information that could facilitate further attacks. The vulnerability is particularly concerning because it operates at the file system level where an attacker could potentially access not just backup files but also core application files, log files, and configuration data that might contain authentication credentials or other exploitable information.

Mitigation strategies for this vulnerability should begin with immediate upgrade to versions 16.19.0 or 15.109.0 where the patch has been implemented. Organizations should also implement additional defensive measures including input validation at multiple layers, implementing strict file path normalization, and restricting file system access permissions for backup operations. Security teams should conduct thorough audits of all file handling functions within the application to identify similar vulnerabilities and ensure that no other endpoints suffer from inadequate input sanitization. The fix typically involves implementing proper path validation that rejects any input containing directory traversal sequences and ensures that all file operations occur within designated safe directories. This vulnerability highlights the importance of following secure coding practices and implementing defense-in-depth strategies to protect against common web application flaws that could lead to complete system compromise.

Responsible

GitHub M

Reservation

04/25/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!