CVE-2025-52896
BaseFortify
Publication date: 2025-06-30
Last updated on: 2025-07-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | frappe | to 14.94.2 (exc) |
| frappe | frappe | From 15.0.0 (inc) to 15.57.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52896 is a high-severity cross-site scripting (XSS) vulnerability in the Frappe web application framework. It affects the Data Import feature, where authenticated users could upload maliciously crafted files that contain executable scripts. These scripts could then run in the context of the application, potentially compromising user data or the system. The vulnerability arises because preview data and filenames were not properly sanitized before being displayed, allowing injection of malicious code. The issue has been fixed by applying sanitization functions to filenames and preview data to neutralize any embedded scripts. [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to cross-site scripting attacks, allowing an attacker with authenticated access to inject malicious scripts via uploaded files. This can result in unauthorized disclosure or modification of sensitive information managed by the system, compromising data confidentiality and integrity. Because the attack requires only low privileges and no user interaction, it poses a significant risk to the security of the application and its users. There is no impact on system availability. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the Frappe framework to version 14.94.2 or 15.57.0 or later, where the vulnerability has been patched. There are no workarounds other than upgrading. The patch sanitizes preview data and filenames to prevent XSS attacks. [3]