2 matches found
CVE-2025-52040
In Frappe ERPNext 15.57.5, the function getblanketorders at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanketordertype parameter...
CVE-2025-52041
In Frappe ERPNext 15.57.5, the function get_stock_balance_for() in erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection via the inventory_dimensions_dict parameter, enabling an attacker to extract all information from databases. The vulnerability is do...