CVE-2025-52898

High CVSS: 8.7

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users.

Vendor

Frappe

Product

Frappe

CWE

CWE-200

Yayın Tarihi

2025-06-30 18:15:25

Güncelleme

2025-07-08 14:43:50

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-200 Frappe HIGH Frappe 2025

Referanslar

https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2 https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66 https://github.com/frappe/frappe/pull/31522 https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j

Benzer Kayıtlar

Medium

CVE-2026-34606

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27…

High

CVE-2026-32954

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpo…

Critical

CVE-2026-31877

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a ce…

Medium

CVE-2026-31878

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a…

Medium

CVE-2026-31879

Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation…

Medium

CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted…