CVE-2025-52898HIGH 8.8EPSS p30.5%

CVE-2025-52898CVE-2025-52898

Description

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.39% probability of exploitation · percentile 30.5% · 2026-06-19T12:03:05Z
Published2025-06-30
Last modified2025-07-08

Underlying weaknesses· 1

CWE-200

References

  1. https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2
  2. https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66
  3. https://github.com/frappe/frappe/pull/31522
  4. https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j

1

TypeTargetConfidenceTier
WeaknessExposure of Sensitive Information to an Unauthorized Actorcwe-2000%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-68929
CVE
CVE-2025-55731
CVE
CVE-2026-31877
CVE
CVE-2026-29081
CVE
CVE-2025-30213
CVE
CVE-2025-66205
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.