Lucene search
K

79 matches found

RedhatCVE
RedhatCVE
added 2025/12/16 12:25 a.m.3 views

CVE-2025-66438

A Server-Side Template Injection SSTI vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.gethtmlandstyle triggers the rendering of the html field inside a Print Format document using frappe.rendertemplatetemplate...

9.8CVSS6.5AI score0.00429EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/12/16 12:25 a.m.5 views

CVE-2025-66434

An SSTI Server-Side Template Injection vulnerability exists in the getdunninglettertext method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates bodytext using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

8.8CVSS7.5AI score0.00507EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/12/16 12:25 a.m.4 views

CVE-2025-66436

An SSTI Server-Side Template Injection vulnerability exists in the gettermsandconditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates terms using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

4.3CVSS7.5AI score0.00289EPSS
Exploits1References1
EUVD
EUVD
added 2025/12/15 6:30 p.m.6 views

EUVD-2025-203396

An SSTI Server-Side Template Injection vulnerability exists in the getcontracttemplate method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates contractterms using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

7AI score0.00289EPSS
Exploits1References3
EUVD
EUVD
added 2025/12/15 6:30 p.m.4 views

EUVD-2025-203390

An SSTI Server-Side Template Injection vulnerability exists in the gettermsandconditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates terms using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

7AI score0.00289EPSS
Exploits1References3
EUVD
EUVD
added 2025/12/15 6:30 p.m.4 views

EUVD-2025-203392

An issue was discovered in Frappe ERPNext through 15.89.0. Function getoutstandingreferencedocuments at erpnext.accounts.doctype.paymententry.paymententry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the...

7.1AI score0.00325EPSS
Exploits1References3
EUVD
EUVD
added 2025/12/15 6:30 p.m.5 views

EUVD-2025-203397

An SSTI Server-Side Template Injection vulnerability exists in the getdunninglettertext method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates bodytext using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

7AI score0.00507EPSS
Exploits1References3
EUVD
EUVD
added 2025/12/15 6:30 p.m.5 views

EUVD-2025-203391

An issue was discovered in Frappe ERPNext through 15.89.0. Function getoutstandingreferencedocuments at erpnext/accounts/doctype/paymententry/paymententry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the...

7.1AI score0.00325EPSS
Exploits1References3
NVD
NVD
added 2025/12/15 6:15 p.m.4 views

CVE-2025-66440

An issue was discovered in Frappe ERPNext through 15.89.0. Function getoutstandingreferencedocuments at erpnext/accounts/doctype/paymententry/paymententry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the...

9.8CVSS0.00325EPSS
Exploits1References2
NVD
NVD
added 2025/12/15 6:15 p.m.4 views

CVE-2025-66436

An SSTI Server-Side Template Injection vulnerability exists in the gettermsandconditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates terms using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

4.3CVSS0.00289EPSS
Exploits1References2
OSV
OSV
added 2025/12/15 6:15 p.m.3 views

CVE-2025-66437

An SSTI Server-Side Template Injection vulnerability exists in the getaddressdisplay method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.rendertemplate with a context derived from the addressdict parameter, which can be either a dictionary or a string...

8.8CVSS7.2AI score
Exploits0References2
OSV
OSV
added 2025/12/15 6:15 p.m.3 views

CVE-2025-66440

An issue was discovered in Frappe ERPNext through 15.89.0. Function getoutstandingreferencedocuments at erpnext/accounts/doctype/paymententry/paymententry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the...

8.8CVSS7.6AI score
Exploits0References2
OSV
OSV
added 2025/12/15 6:15 p.m.1 views

CVE-2025-66436

An SSTI Server-Side Template Injection vulnerability exists in the gettermsandconditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates terms using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

4.3CVSS7.4AI score
Exploits0References2
NVD
NVD
added 2025/12/15 5:15 p.m.6 views

CVE-2025-66435

An SSTI Server-Side Template Injection vulnerability exists in the getcontracttemplate method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates contractterms using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

4.3CVSS0.00289EPSS
Exploits1References2
NVD
NVD
added 2025/12/15 5:15 p.m.7 views

CVE-2025-66434

An SSTI Server-Side Template Injection vulnerability exists in the getdunninglettertext method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates bodytext using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

8.8CVSS0.00507EPSS
Exploits1References2
OSV
OSV
added 2025/12/15 5:15 p.m.4 views

CVE-2025-66434

An SSTI Server-Side Template Injection vulnerability exists in the getdunninglettertext method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates bodytext using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

8.8CVSS7.3AI score
Exploits0References2
OSV
OSV
added 2025/12/15 5:15 p.m.2 views

CVE-2025-66435

An SSTI Server-Side Template Injection vulnerability exists in the getcontracttemplate method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates contractterms using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

4.3CVSS7.3AI score
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/12/15 12:0 a.m.3 views

CVE-2025-66438

A Server-Side Template Injection SSTI vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.gethtmlandstyle triggers the rendering of the html field inside a Print Format document using frappe.rendertemplatetemplate...

6.1AI score0.00429EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/12/15 12:0 a.m.3 views

CVE-2025-66435

An SSTI Server-Side Template Injection vulnerability exists in the getcontracttemplate method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates contractterms using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

7.1AI score0.00289EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2025/12/15 12:0 a.m.6 views

PT-2025-51252

An SSTI Server-Side Template Injection vulnerability exists in the get dunning letter text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates body text using frappe.render template with a user-supplied context doc. Although Frappe uses a custom...

7.5AI score0.00507EPSS
Exploits1References3
Rows per page
Query Builder