How to fix CVE-2025-10655?

Within 24 hours: Identify all systems running Frappe HelpDesk 1.14.0 and restrict dashboard access to essential personnel only. Within 7 days: Evaluate upgrade feasibility to a patched version (contact Frappe for latest security release) or implement WAF rules blocking malicious get_dashboard_data parameters. Within 30 days: Complete migration to a patched Frappe HelpDesk version or deploy compensating controls if upgrade is not immediately possible.

Is Helpdesk affected by CVE-2025-10655?

Frappe HelpDesk 1.14.0 contains a SQL injection vulnerability in the dashboard functionality that allows authenticated users to extract or manipulate database contents, potentially exposing sensitive customer support data and internal information.

Helpdesk CVE-2025-10655

HIGH

SQL Injection (CWE-89)

2025-12-09 [email protected]

SQLi Helpdesk

8.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 14, 2026 - 15:48 vuln.today

DescriptionNVD

SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0.

AnalysisAI

SQL injection in Frappe HelpDesk 1.14.0 dashboard functionality allows authenticated attackers to execute arbitrary SQL queries via the get_dashboard_data endpoint. Unsafe concatenation of user-controlled parameters into dynamic SQL statements enables data exfiltration and database manipulation. Publicly available exploit code exists. With CVSS 8.6 (Network/Low Complexity/Low Privilege Required), this represents a high-severity risk for organizations running the affected version, though no active exploitation (CISA KEV) has been confirmed.

Technical ContextAI

Frappe HelpDesk is an open-source customer support ticketing system built on the Frappe Framework. The vulnerability stems from CWE-89 (SQL Injection) in the dashboard's get_dashboard_data function, where user-supplied parameters are concatenated directly into SQL queries without proper parameterization or sanitization. This classic injection flaw occurs when dynamic SQL construction uses string concatenation instead of prepared statements or ORM-safe methods. The CVSS:4.0 vector shows network-accessible (AV:N) exploitation with low attack complexity (AC:L) requiring only low privileges (PR:L), meaning any authenticated user with basic dashboard access can exploit this vulnerability. The affected product (cpe:2.3:a:frappe:helpdesk:1.14.0) is specifically version 1.14.0 of the Frappe HelpDesk application.

RemediationAI

Apply the vendor-released fix by upgrading to a patched version of Frappe HelpDesk beyond 1.14.0. The upstream fix is available in GitHub pull request #2795 at https://github.com/frappe/helpdesk/pull/2795, which addresses the unsafe SQL concatenation by implementing proper parameterization or ORM-safe query construction in the get_dashboard_data function. Organizations should review the pull request, verify the fix has been merged into a stable release, and upgrade immediately. As an interim mitigation, restrict access to the dashboard functionality to only highly trusted authenticated users, implement web application firewall (WAF) rules to detect SQL injection patterns in dashboard requests, and monitor database query logs for suspicious activity. Consult the Fluid Attacks advisory at https://fluidattacks.com/advisories/dyango for additional technical details.

CVE-2025-10655 vulnerability details – vuln.today

Back

Helpdesk CVE-2025-10655

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

Helpdesk CVE-2025-10655

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code