CVE-2025-52896

Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/frappe/frappe/commit/152fd09de5bca16b8d299d715a1f5df6fca3866f	Patch
https://github.com/frappe/frappe/commit/f11c53d4df745b58bd1c1c08e1634a2f5a55322a	Patch
https://github.com/frappe/frappe/pull/31483	Issue Tracking
https://github.com/frappe/frappe/security/advisories/GHSA-hv29-66qg-2v6p	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:frappe:frappe::::::::
	cpe:2.3:a:frappe:frappe::::::::

History

08 Jul 2025, 14:10

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
CPE		cpe:2.3:a:frappe:frappe::::::::
First Time		Frappe frappe Frappe
Summary		(es) Frappe es un framework de aplicaciones web integral. Antes de las versiones 14.94.2 y 15.57.0, los usuarios autenticados podían subir archivos maliciosos cuidadosamente manipulados mediante la importación de datos, lo que provocaba ataques de cross-site scripting (XSS). Este problema se ha corregido en las versiones 14.94.2 y 15.57.0. No existen soluciones alternativas aparte de actualizar.
References	~~() https://github.com/frappe/frappe/commit/152fd09de5bca16b8d299d715a1f5df6fca3866f -~~	() https://github.com/frappe/frappe/commit/152fd09de5bca16b8d299d715a1f5df6fca3866f - Patch
References	~~() https://github.com/frappe/frappe/commit/f11c53d4df745b58bd1c1c08e1634a2f5a55322a -~~	() https://github.com/frappe/frappe/commit/f11c53d4df745b58bd1c1c08e1634a2f5a55322a - Patch
References	~~() https://github.com/frappe/frappe/pull/31483 -~~	() https://github.com/frappe/frappe/pull/31483 - Issue Tracking
References	~~() https://github.com/frappe/frappe/security/advisories/GHSA-hv29-66qg-2v6p -~~	() https://github.com/frappe/frappe/security/advisories/GHSA-hv29-66qg-2v6p - Vendor Advisory

30 Jun 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-30 17:15

Updated : 2025-07-08 14:10

NVD link : CVE-2025-52896

Mitre link : CVE-2025-52896

CVE.ORG link : CVE-2025-52896

JSON object : View

Products Affected

frappe

frappe

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10