Frappe Framework
CVE-2025-67289
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attachment upload realistically needs an account (PR:L) and a victim must view the file (UI:R); XSS crosses into the session context (S:C) with high C/I but no direct availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.
AnalysisAI
Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on it) lets attackers upload a crafted XML/SVG file through the Attachments module that runs attacker-controlled script when a victim views it. Tagged as XSS/RCE/File Upload with a publicly available exploit code, though EPSS remains low at 0.44% (35th percentile) and it is not on CISA KEV. The CVSS 9.6 rating reflects a scope-changing, user-interaction-dependent attack rather than direct server-side compromise.
Technical ContextAI
Frappe Framework is an open-source, Python/JavaScript full-stack web framework that underpins the ERPNext ERP suite; the CPE data confirms both cpe:2.3:a:frappe:frappe:15.89.0 and cpe:2.3:a:frappe:erpnext:15.89.0 are affected. The root-cause class is CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e. cross-site scripting), and the vector combined with the 'crafted XML file' detail indicates the Attachments module fails to sanitize or restrict uploaded file content (classically an SVG/XML payload containing embedded script). When such a file is rendered or served inline in a browser session, the embedded script executes in the context of the application, which is how 'arbitrary code' execution is achieved - script execution in the victim's authenticated browser session, not native server code execution.
RemediationAI
No vendor-released patch version is identified in the available data, so the actionable step is to upgrade Frappe Framework and ERPNext to the latest maintained release above 15.89.0 and monitor http://frappe.com and the Frappe GitHub security advisories for the exact fixed version before deploying. As compensating controls until patched: force all user-uploaded attachments to be served with Content-Disposition: attachment (download rather than inline render) and a restrictive Content-Security-Policy to neutralize embedded script, which prevents in-browser execution at the cost of losing inline preview; block or reject SVG/XML uploads at the reverse proxy or in the Attachments allow-list, accepting that legitimate SVG/XML attachments will be refused; and restrict attachment upload permissions to trusted roles to shrink the pool of potential submitters. Do not treat the public exploit README (https://github.com/vuquyen03/CVE/blob/main/CVE-2025-67289/README.md) as guidance - it is offensive proof-of-concept material.
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Rated high severity (CVS
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. Rated high sev
In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/re
In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reco
In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Inje
In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_requ
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. Rated high severity (CV
In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, w
Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-contro
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today