Frappe

Erpnext

61 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.8

CVE-2025-66439

Exploit
  • EPSS 0.33%
  • Veröffentlicht 15.12.2025 00:00:00
  • Zuletzt bearbeitet 05.01.2026 18:21:38

An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doctype.payment_entry.payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from ...

8.8

CVE-2025-66437

Exploit
  • EPSS 0.52%
  • Veröffentlicht 15.12.2025 00:00:00
  • Zuletzt bearbeitet 05.01.2026 18:19:07

An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict par...

4.3

CVE-2025-66436

Exploit
  • EPSS 0.29%
  • Veröffentlicht 15.12.2025 00:00:00
  • Zuletzt bearbeitet 23.12.2025 17:54:23

An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (terms) using frappe.render_template() with a user-suppl...

4.3

CVE-2025-66435

Exploit
  • EPSS 0.29%
  • Veröffentlicht 15.12.2025 00:00:00
  • Zuletzt bearbeitet 23.12.2025 17:56:56

An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (contract_terms) using frappe.render_template() with a user...

8.8

CVE-2025-66434

Exploit
  • EPSS 0.51%
  • Veröffentlicht 15.12.2025 00:00:00
  • Zuletzt bearbeitet 23.12.2025 17:57:35

An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() with a user-su...

9

CVE-2025-65267

  • EPSS 0.29%
  • Veröffentlicht 03.12.2025 15:15:55
  • Zuletzt bearbeitet 05.12.2025 18:35:19

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in sto...

6.5

CVE-2025-56381

Exploit
  • EPSS 0.29%
  • Veröffentlicht 02.10.2025 14:15:45
  • Zuletzt bearbeitet 03.10.2025 16:18:36

ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.

6.5

CVE-2025-56380

Exploit
  • EPSS 0.29%
  • Veröffentlicht 02.10.2025 14:15:45
  • Zuletzt bearbeitet 03.10.2025 16:18:50

Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter

5.4

CVE-2025-56379

Exploit
  • EPSS 0.37%
  • Veröffentlicht 02.10.2025 14:15:45
  • Zuletzt bearbeitet 03.10.2025 19:15:49

A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field.

8.2

CVE-2025-52041

Exploit
  • EPSS 0.31%
  • Veröffentlicht 01.10.2025 15:15:46
  • Zuletzt bearbeitet 03.10.2025 16:19:17

In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQ...