What is the CVSS score of EUVD-2025-200968?

EUVD-2025-200968 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Erpnext are affected by EUVD-2025-200968?

A critical vulnerability in ERPNext and Frappe Framework allows attackers to inject malicious code through avatar images, potentially leading to full compromise of the system when administrators…

How to fix or mitigate EUVD-2025-200968?

Within 24 hours: Disable avatar upload functionality or restrict access to trusted administrators only; audit recent avatar uploads for suspicious content. Within 7 days: Implement Web Application Firewall (WAF) rules to block SVG uploads containing script tags; conduct forensic review of administrator accounts for unauthorized access. Within 30 days: Establish continuous monitoring for patch availability; develop and test migration plan to patched versions; review and strengthen file upload validation policies across all applications.

Erpnext EUVD-2025-200968

| CVE-2025-65267 CRITICAL

Cross-site Scripting (XSS) (CWE-79)

2025-12-03 cve@mitre.org

Privilege Escalation XSS Erpnext Frappe

9.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.0 CRITICAL

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 16:14 euvd

EUVD-2025-200968

Analysis Generated

Mar 15, 2026 - 16:14 vuln.today

CVE Published

Dec 03, 2025 - 15:15 nvd

CRITICAL 9.0

DescriptionCVE.org

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.

Analysis

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

EUVD-2025-200968 vulnerability details – vuln.today

Back

Erpnext EUVD-2025-200968

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code