Skip to main content

Frappe Framework CVE-2025-67289

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2025-12-22 cve@mitre.org
9.6
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.7 HIGH

Attachment upload realistically needs an account (PR:L) and a victim must view the file (UI:R); XSS crosses into the session context (S:C) with high C/I but no direct availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:31 vuln.today

DescriptionCVE.org

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.

AnalysisAI

Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on it) lets attackers upload a crafted XML/SVG file through the Attachments module that runs attacker-controlled script when a victim views it. Tagged as XSS/RCE/File Upload with a publicly available exploit code, though EPSS remains low at 0.44% (35th percentile) and it is not on CISA KEV. The CVSS 9.6 rating reflects a scope-changing, user-interaction-dependent attack rather than direct server-side compromise.

Technical ContextAI

Frappe Framework is an open-source, Python/JavaScript full-stack web framework that underpins the ERPNext ERP suite; the CPE data confirms both cpe:2.3:a:frappe:frappe:15.89.0 and cpe:2.3:a:frappe:erpnext:15.89.0 are affected. The root-cause class is CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e. cross-site scripting), and the vector combined with the 'crafted XML file' detail indicates the Attachments module fails to sanitize or restrict uploaded file content (classically an SVG/XML payload containing embedded script). When such a file is rendered or served inline in a browser session, the embedded script executes in the context of the application, which is how 'arbitrary code' execution is achieved - script execution in the victim's authenticated browser session, not native server code execution.

RemediationAI

No vendor-released patch version is identified in the available data, so the actionable step is to upgrade Frappe Framework and ERPNext to the latest maintained release above 15.89.0 and monitor http://frappe.com and the Frappe GitHub security advisories for the exact fixed version before deploying. As compensating controls until patched: force all user-uploaded attachments to be served with Content-Disposition: attachment (download rather than inline render) and a restrictive Content-Security-Policy to neutralize embedded script, which prevents in-browser execution at the cost of losing inline preview; block or reject SVG/XML uploads at the reverse proxy or in the Attachments allow-list, accepting that legitimate SVG/XML attachments will be refused; and restrict attachment upload permissions to trusted roles to shrink the pool of potential submitters. Do not treat the public exploit README (https://github.com/vuquyen03/CVE/blob/main/CVE-2025-67289/README.md) as guidance - it is offensive proof-of-concept material.

CVE-2018-3885 HIGH POC
8.8 Sep 12

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS

CVE-2018-3884 HIGH POC
8.8 Sep 12

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS

CVE-2018-3883 HIGH POC
8.8 Sep 12

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS

CVE-2018-3882 HIGH POC
8.8 Sep 12

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS

CVE-2020-6145 HIGH POC
8.8 Aug 10

An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. Rated high sev

CVE-2025-52042 HIGH POC
8.2 Oct 01

In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/re

CVE-2025-52041 HIGH POC
8.2 Oct 01

In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reco

CVE-2025-52040 HIGH POC
8.2 Oct 01

In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Inje

CVE-2025-52039 HIGH POC
8.2 Oct 01

In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_requ

CVE-2025-28062 HIGH POC
8.1 May 05

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. Rated high severity (CV

CVE-2025-52044 HIGH POC
7.5 Sep 16

In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, w

CVE-2022-28598 MEDIUM POC
6.1 Aug 22

Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-contro

Share

CVE-2025-67289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy