Description

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, certain requests were vulnerable to path traversal attacks, wherein some files from the server could be retrieved if the full path was known. Sites hosted on Frappe Cloud, and even other setups that are behind a reverse proxy like NGINX are unaffected. This would mainly affect someone directly using werkzeug/gunicorn. In those cases, either an upgrade or changing the setup to use a reverse proxy is recommended. This vulnerability is fixed in 15.86.0 and 14.99.2.

INFO

Published Date :

2025-12-01T20:29:07.386Z

Last Modified :

2025-12-01T20:37:05.162Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66206 vulnerability.

Vendors Products
Frappe
  • Frappe
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66206.

URL Resource
https://github.com/frappe/frappe/security/advisories/GHSA-v4wg-gqfr-rpjm cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact