What is the CVSS score of EUVD-2025-200084?

EUVD-2025-200084 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L. EPSS exploitation probability: 0.0%.

Which versions of Frappe are affected by EUVD-2025-200084?

A SQL injection vulnerability in Frappe framework versions prior to 15.86.0 and 14.99.2 allows attackers to extract sensitive information including system version details without authentication.. A patch is available.

How to fix or mitigate EUVD-2025-200084?

Within 24 hours: Identify all Frappe instances in production and document their versions. Within 7 days: Deploy patches (upgrade to 15.86.0 or 14.99.2) or implement WAF rules to block malicious parameter inputs to the vulnerable endpoint. Within 30 days: Conduct security audit of affected systems for evidence of exploitation and verify patch deployment across all instances.

Frappe EUVD-2025-200084

| CVE-2025-66205 HIGH

SQL Injection (CWE-89)

2025-12-01 security-advisories@github.com

SQLi Frappe

7.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 13:34 euvd

EUVD-2025-200084

Analysis Generated

Mar 15, 2026 - 13:34 vuln.today

Patch released

Mar 15, 2026 - 13:34 nvd

Patch available

CVE Published

Dec 01, 2025 - 21:15 nvd

HIGH 7.1

DescriptionGitHub Advisory

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2.

Analysis

Technical ContextAI

SQL injection occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterized queries.

RemediationAI

A vendor patch is available — apply it immediately. Use parameterized queries or prepared statements. Apply input validation and escape special characters. Implement least-privilege database accounts.

More from same product – last 7 days

CVE-2026-44208 MEDIUM This Month

6.9 Jun 12

Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthe

CVE-2026-50026 MEDIUM This Month

6.9 Jun 12

Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and

CVE-2026-44205 MEDIUM This Month

6.9 Jun 12

Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browser

CVE-2026-47739 MEDIUM This Month

6.9 Jun 12

Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious

CVE-2026-44206 MEDIUM This Month

6.9 Jun 12

DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen

EUVD-2025-200084 vulnerability details – vuln.today

Back

Frappe EUVD-2025-200084

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code