Which versions of Frappe Crm are affected by CVE-2025-11461?

CVE-2025-11461 presents moderate security risk, a SQL injection vulnerability rated CVSS 7.1.. A patch is available.

Is there a public PoC exploit available for CVE-2025-11461?

Yes, a public proof-of-concept exploit is available for CVE-2025-11461. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-11461?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

Frappe Crm CVE-2025-11461

Q: What is the CVSS score of CVE-2025-11461?

CVE-2025-11461 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

HIGH

SQL Injection (CWE-89)

2025-11-26 help@fluidattacks.com

SQLi Frappe Crm

7.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:24 vuln.today

Patch released

Mar 28, 2026 - 19:24 nvd

Patch available

PoC Detected

Dec 19, 2025 - 16:32 vuln.today

Public exploit code

CVE Published

Nov 26, 2025 - 18:15 nvd

HIGH 7.1

DescriptionCVE.org

Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.

AnalysisAI

Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.53.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.53.1. Affected products include: Frappe Frappe Crm.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2025-11461 vulnerability details – vuln.today

Back