We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-52896

Frappe authenticated XSS via data import



Description

Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading.

Reserved 2025-06-20 | Published 2025-06-30 | Updated 2025-06-30 | Assigner GitHub_M


HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 15.57.0
affected

< 14.94.2
affected

References

github.com/...frappe/security/advisories/GHSA-hv29-66qg-2v6p

github.com/frappe/frappe/pull/31483

github.com/...ommit/152fd09de5bca16b8d299d715a1f5df6fca3866f

github.com/...ommit/f11c53d4df745b58bd1c1c08e1634a2f5a55322a

cve.org (CVE-2025-52896)

nvd.nist.gov (CVE-2025-52896)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-52896

Support options

Helpdesk Chat, Email, Knowledgebase