CVE-2025-65267

Critical CVSS: 9.0

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.

Vendor

Frappe

Product

Erpnext

CWE

CWE-79

Yayın Tarihi

2025-12-03 15:15:55

Güncelleme

2025-12-05 18:35:19

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-79 Erpnext CRITICAL Frappe 2025

Referanslar

https://github.com/PhDg1410/CVE/tree/main/CVE-2025-65267 https://github.com/frappe/erpnext https://github.com/frappe/frappe

Benzer Kayıtlar

High

CVE-2026-32954

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpo…

Critical

CVE-2026-31877

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a ce…

Medium

CVE-2026-31878

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a…

Medium

CVE-2026-31879

Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation…

Medium

CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted…

High

CVE-2026-29077

Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation wh…