
The Frappe Framework, a widely used full-stack application platform that powers ERPNext, has been found vulnerable to three security issues, potentially affecting thousands of self-hosted deployments. These vulnerabilities—tracked as CVE-2025-52898, CVE-2025-52896, and CVE-2025-52895—carry CVSS v4 base scores ranging from 8.6 to 8.7, highlighting their severity. While users on Frappe Cloud remain unaffected, those managing their own infrastructure are urged to upgrade immediately to avoid compromise.
Account Takeover via Password Reset Token Leakage – CVE-2025-52898 (CVSS 8.7)
A serious vulnerability affecting self-hosted Frappe Framework deployments could allow an attacker to gain unauthorized access to user accounts through the leakage of password reset tokens. By sending a carefully crafted request, a malicious actor may intercept or derive the reset token and hijack a victim’s account. The risk is limited to self-hosted instances that are configured in specific insecure ways. As the Frappe team clarified, “Frappe Cloud users are safe,” thanks to default protections in the managed environment. However, the nature of this flaw places a significant burden on system administrators to assess and patch their own instances. Affected users are advised to upgrade to version 15.58.0 or 14.94.3, and in the meantime, verify the legitimacy of any password reset links before clicking.
Authenticated XSS via Malicious File Upload – CVE-2025-52896 (CVSS 8.6)
Another critical issue lies in Frappe’s Data Import functionality. In this case, authenticated users are able to upload specially crafted files that inject malicious scripts into the application. Once uploaded, these scripts could execute in the browsers of other users—leading to classic Cross-Site Scripting (XSS) attacks. This vulnerability is particularly dangerous in shared administrative environments where multiple users interact with imported content. The flaw has been addressed in versions 15.57.0 and 14.94.2. Until systems are updated, organizations should consider restricting access to the Data Import tool to minimize risk.
SQL Injection through Improper Validation – CVE-2025-52895 (CVSS 8.7)
Perhaps the most technically alarming vulnerability involves the potential for SQL injection due to improper input validation. Through a specially crafted request, an attacker could manipulate backend SQL queries to gain unauthorized access to sensitive database contents. Depending on the configuration and data stored, this could result in credential leaks, unauthorized data modification, or full data exfiltration. This vulnerability affects all Frappe Framework versions below 15.58.0 and 14.94.3, and patches have been released accordingly. Developers are encouraged to validate all user inputs and audit any custom endpoints that may bypass built-in protections.
Related Posts:
- Triple Threat in Frappe Framework: SQL Injection, RCE, and Info Disclosure Fixed in Recent Patches
- CVE-2024-27981: Critical Vulnerability Patched in Ubiquiti UniFi Network Application
- Unpatched Gogs Vulnerabilities: A Ticking Time Bomb for Source Code
- CISA Warns of Credential Risks Tied to Oracle Cloud Breach
- GitLab Releases Security Update to Patch XSS and Account Takeover Flaws