What is the CVSS score of EUVD-2025-19587?

EUVD-2025-19587 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Frappe are affected by EUVD-2025-19587?

Organizations using Frappe face notable risk from CVE-2025-52895, a SQL injection vulnerability rated CVSS 7.5.. A patch is available.

How to fix or mitigate EUVD-2025-19587?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

Frappe EUVD-2025-19587

| CVE-2025-52895 HIGH

SQL Injection (CWE-89)

2025-06-30 security-advisories@github.com

SQLi Frappe

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 01:25 euvd

EUVD-2025-19587

Analysis Generated

Mar 16, 2026 - 01:25 vuln.today

Patch released

Mar 16, 2026 - 01:25 nvd

Patch available

CVE Published

Jun 30, 2025 - 17:15 nvd

HIGH 7.5

DescriptionGitHub Advisory

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There are no workarounds for this issue other than upgrading.

Analysis

Technical ContextAI

SQL injection occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterized queries.

RemediationAI

A vendor patch is available — apply it immediately. Use parameterized queries or prepared statements. Apply input validation and escape special characters. Implement least-privilege database accounts.

More from same product – last 7 days

CVE-2026-44208 MEDIUM This Month

6.9 Jun 12

Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthe

CVE-2026-50026 MEDIUM This Month

6.9 Jun 12

Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and

CVE-2026-44205 MEDIUM This Month

6.9 Jun 12

Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browser

CVE-2026-47739 MEDIUM This Month

6.9 Jun 12

Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious

CVE-2026-44206 MEDIUM This Month

6.9 Jun 12

DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen

EUVD-2025-19587 vulnerability details – vuln.today

Back

Frappe EUVD-2025-19587

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code