{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-55852","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-06-17T16:44:40.995Z","datePublished":"2026-07-10T21:28:29.445Z","dateUpdated":"2026-07-10T21:28:29.445Z"},"containers":{"cna":{"title":"Frappe: TarSlip RCE in Package Import","problemTypes":[{"descriptions":[{"cweId":"CWE-22","lang":"en","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":8.6,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/frappe/frappe/security/advisories/GHSA-58w2-4cjg-hvp6","tags":["x_refsource_CONFIRM"],"url":"https://github.com/frappe/frappe/security/advisories/GHSA-58w2-4cjg-hvp6"},{"name":"https://github.com/frappe/frappe/pull/38716","tags":["x_refsource_MISC"],"url":"https://github.com/frappe/frappe/pull/38716"},{"name":"https://github.com/frappe/frappe/pull/40044","tags":["x_refsource_MISC"],"url":"https://github.com/frappe/frappe/pull/40044"},{"name":"https://github.com/frappe/frappe/pull/40045","tags":["x_refsource_MISC"],"url":"https://github.com/frappe/frappe/pull/40045"},{"name":"https://github.com/frappe/frappe/commit/3c75f13fd7d4441a880dd236450277dc37fcddfd","tags":["x_refsource_MISC"],"url":"https://github.com/frappe/frappe/commit/3c75f13fd7d4441a880dd236450277dc37fcddfd"},{"name":"https://github.com/frappe/frappe/commit/4772e3e7f72db43d48137af74fa77e5fce903223","tags":["x_refsource_MISC"],"url":"https://github.com/frappe/frappe/commit/4772e3e7f72db43d48137af74fa77e5fce903223"},{"name":"https://github.com/frappe/frappe/commit/57e527d933aeffaec0cd735838701792c848e3e7","tags":["x_refsource_MISC"],"url":"https://github.com/frappe/frappe/commit/57e527d933aeffaec0cd735838701792c848e3e7"},{"name":"https://github.com/frappe/frappe/releases/tag/v15.112.0","tags":["x_refsource_MISC"],"url":"https://github.com/frappe/frappe/releases/tag/v15.112.0"},{"name":"https://github.com/frappe/frappe/releases/tag/v16.23.0","tags":["x_refsource_MISC"],"url":"https://github.com/frappe/frappe/releases/tag/v16.23.0"}],"affected":[{"vendor":"frappe","product":"frappe","versions":[{"version":"< 15.112.0","status":"affected"},{"version":">= 16.0.0-beta.1, < 16.23.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-07-10T21:28:29.445Z"},"descriptions":[{"lang":"en","value":"Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0."}],"source":{"advisory":"GHSA-58w2-4cjg-hvp6","discovery":"UNKNOWN"}}}}