CVE-2025-28062

HIGH

Frappe Erpnext - CSRF

Title source: rule

Description

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.

Exploits (2)

nomisec WORKING POC 2 stars

by Thvt0ne · poc

https://github.com/Thvt0ne/CVE-2025-28062

View Code ZIP pw:eip

exploitdb WORKING POC

by Ahmed Thaiban · textwebappspython

https://www.exploit-db.com/exploits/52283

View Code ZIP pw:eip

References (2)

[Exploit] https://github.com/Thvt0ne/CVE-2025-28062

[Product] https://github.com/frappe/erpnext

Scores

CVSS v3 8.1

EPSS 0.0022

EPSS Percentile 44.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Classification

CWE

CWE-352

Status published

Affected Products (2)

frappe/erpnext

frappe/erpnext

Timeline

Published May 05, 2025

Tracked Since Feb 18, 2026