We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading.
Reserved 2025-06-20 | Published 2025-06-30 | Updated 2025-06-30 | Assigner GitHub_MCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
github.com/...frappe/security/advisories/GHSA-hv29-66qg-2v6p
github.com/frappe/frappe/pull/31483
github.com/...ommit/152fd09de5bca16b8d299d715a1f5df6fca3866f
github.com/...ommit/f11c53d4df745b58bd1c1c08e1634a2f5a55322a
Support options