CVE-2025-52896

High CVSS: 8.6

Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading.

Vendor

Frappe

Product

Frappe

CWE

CWE-79

Yayın Tarihi

2025-06-30 17:15:33

Güncelleme

2025-07-08 14:10:33

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Frappe HIGH Frappe 2025

Referanslar

https://github.com/frappe/frappe/commit/152fd09de5bca16b8d299d715a1f5df6fca3866f https://github.com/frappe/frappe/commit/f11c53d4df745b58bd1c1c08e1634a2f5a55322a https://github.com/frappe/frappe/pull/31483 https://github.com/frappe/frappe/security/advisories/GHSA-hv29-66qg-2v6p

Benzer Kayıtlar

Medium

CVE-2026-34606

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27…

High

CVE-2026-32954

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpo…

Critical

CVE-2026-31877

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a ce…

Medium

CVE-2026-31878

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a…

Medium

CVE-2026-31879

Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation…

Medium

CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted…