PYSEC-2026-1393

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/frappe/PYSEC-2026-1393.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1393
Aliases
Published
2026-07-07T14:34:58.850254Z
Modified
2026-07-07T17:47:22.084794530Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Frappe has Possibility of Remote Code Execution due to improper validation
Details

Impact

A system user was able to create certain documents in a specific way that could lead to RCE.

Workarounds

There's no workaround, an upgrade is required.

Credits

Thanks to Thanh of Calif.io for reporting the issue

References

Affected packages

PyPI / frappe

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
14.91.0
Introduced
15.0.0
Fixed
15.52.0

Affected versions

0.*
0.0.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/frappe/PYSEC-2026-1393.yaml"