CVE-2025-67289

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file...

CVE-2025-67289

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file...

CVE-2025-67289

CVE-2025-67289 affects Frappe Framework, specifically the Attachments module in v15.89.0. The vulnerability allows arbitrary code execution through uploading a crafted XML file, enabling an attacker to run code on the server. The CVSS v3.1 base score is 9.6 (CRITICAL) with network access, no priv...

PT-2025-52668

Name of the Vulnerable Software and Affected Versions Frappe Framework version 15.89.0 Description A flaw exists within the Attachments module that permits arbitrary file uploads. Successful exploitation, involving the upload of a specially crafted XML file, could lead to the execution of arbitra...

CVE-2025-66434

An SSTI Server-Side Template Injection vulnerability exists in the getdunninglettertext method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates bodytext using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

PT-2025-51257

Name of the Vulnerable Software and Affected Versions Frappe ERPNext versions through 15.89.0 Description An SSTI Server-Side Template Injection vulnerability exists in the get terms and conditions method. The function renders attacker-controlled Jinja2 templates terms using frappe.render templat...