CVE-2025-11461

High CVSS: 7.1

Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.
This issue affects Frappe CRM: 1.53.1.

Vendor

Frappe

Product

Frappe Crm

CWE

CWE-89

Yayın Tarihi

2025-11-26 18:15:46

Güncelleme

2025-12-19 16:32:47

Source Identifier

help@fluidattacks.com

KEV Date Added

Kategoriler

CWE-89 Frappe Crm HIGH Frappe 2025

Referanslar

https://fluidattacks.com/advisories/oz https://github.com/frappe/crm https://github.com/frappe/crm/pull/1339 https://fluidattacks.com/advisories/oz https://github.com/frappe/crm

Benzer Kayıtlar

Medium

CVE-2026-34606

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27…

High

CVE-2026-32954

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpo…

Critical

CVE-2026-31877

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a ce…

Medium

CVE-2026-31878

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a…

Medium

CVE-2026-31879

Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation…

Medium

CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted…