CVE-2025-52896NVD

Vulnerability Summary

Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading.

Severity Level

HIGH(8.6)

Published Date

Jun 30, 2025

Last Modified

Jul 8, 2025

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-79: Cross-site Scripting (XSS) ↗

The software does not neutralize user-controllable input before it is placed in output that is used as a web page.

CVSS v4.0 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

External References

https://github.com/frappe/frappe/commit/152fd09de5bca16b8d299d715a1f5df6fca3866f
https://github.com/frappe/frappe/commit/f11c53d4df745b58bd1c1c08e1634a2f5a55322a
https://github.com/frappe/frappe/pull/31483
https://github.com/frappe/frappe/security/advisories/GHSA-hv29-66qg-2v6p

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2025-52896NVD

Vulnerability Summary

External References