https://www.cvedetails.com/cve/CVE-2025-28062/
https://www.cve.org/CVERecord?id=CVE-2025-28062
I saw this CVE reported against ERPNext, but could not find a response or update. Has this been fixed? This was reported on 05/05/2025.
Seems to be a high risk exploit.
Agree with you, in case if its really compromising!
To paraphrase, the issue was that you could click on some malicious link that makes you trigger an API call to ERPNext that potentially modifies some entries. Clicking on a link corresponds to a GET request. This issue has been addressed by restricting some of frappe frameworksâ core API endpoints to non-GET requests:
If you find any other whitelisted methods that allow modifying data through a GET request, please report them as a vulnerability to Security (or the corresponding custom app provider).
Thanks for the update. I can see the github issue and commits. But the CVE is still not closed and probably because the github issue doesnât reference the CVE number. Could someone from Frappe mark that CVE as closed with reference to this github issue? (like how all other CVEs have been closedâŚ)
A CVE record never flips to a âclosedâ or âresolvedâ state the way a ticket in a bug-tracker does. Once published it stays on the public list forever. The only three official CVE states are RESERVED â PUBLISHED â REJECTED.
Iâve submitted a request via https://cveform.mitre.org/ to include info about the fixed versions.
Thanks @rmeyer
Iâm also wondering why this CVE is not listed in Frappeâs security advisory page - Security Advisories ¡ frappe/frappe
Any idea?
@kirthi, appriciated 
for highlighting this issue as âsecurity is one of our main concerns!â
Frappe team has now added the CVE to the advisory - Account takeover via CSRF ¡ Advisory ¡ frappe/frappe ¡ GitHub
Thanks.