CVE-2025-28062

HIGH

Frappe Erpnext - CSRF

Title source: rule

Description

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.

Exploits (2)

exploitdb WORKING POC

by Ahmed Thaiban · textwebappspython

https://www.exploit-db.com/exploits/52283

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by Thvt0ne · poc

https://github.com/Thvt0ne/CVE-2025-28062

View Code ZIP pw:eip

References (2)

Core 2

Core References

Exploit

https://github.com/Thvt0ne/CVE-2025-28062

Product

https://github.com/frappe/erpnext

Scores

CVSS v3 8.1

EPSS 0.0022

EPSS Percentile 44.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-352

Status published

Products (2)

frappe/erpnext 14.74.3

frappe/erpnext 14.82.1

Published May 05, 2025

Tracked Since Feb 18, 2026