Hiw0rl4

12 exploits Active since Jul 2025
CVE-2025-52039 WRITEUP HIGH WRITEUP
Frappe Erpnext - SQL Injection
In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the txt parameter.
CVSS 8.2
CVE-2025-52040 WRITEUP HIGH WRITEUP
Frappe Erpnext - SQL Injection
In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter.
CVSS 8.2
CVE-2025-52041 WRITEUP HIGH WRITEUP
Frappe Erpnext - SQL Injection
In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the inventory_dimensions_dict parameter.
CVSS 8.2
CVE-2025-52042 WRITEUP HIGH WRITEUP
Frappe Erpnext - SQL Injection
In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt parameter.
CVSS 8.2
CVE-2025-52043 WRITEUP MEDIUM WRITEUP
Frappe Erpnext - SQL Injection
In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL query into the company parameter.
CVSS 6.5
CVE-2025-52044 WRITEUP HIGH WRITEUP
Frappe Erpnext - SQL Injection
In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into inventory_dimensions_dict parameter.
CVSS 7.5
CVE-2025-52046 WRITEUP CRITICAL WRITEUP
Totolink A3300r Firmware - Command Injection
Totolink A3300R V17.0.0cu.596_B20250515 was found to contain a command injection vulnerability in the sub_4197C0 function via the mac and desc parameters. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.
CVSS 9.8
CVE-2025-52047 WRITEUP MEDIUM WRITEUP
Frappe Erpnext - SQL Injection
In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled parameter.
CVSS 6.5
CVE-2025-52048 WRITEUP MEDIUM WRITEUP
Frappe < 14.96.10 - SQL Injection
In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the `dt` parameter.
CVSS 6.5
CVE-2025-52049 WRITEUP MEDIUM WRITEUP
Frappe Erpnext - SQL Injection
In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter.
CVSS 6.5
CVE-2025-52050 WRITEUP MEDIUM WRITEUP
Frappe Erpnext - SQL Injection
In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the expiry_date parameter.
CVSS 6.5
CVE-2025-52284 WRITEUP MEDIUM WRITEUP
Totolink X6000r Firmware - Command Injection
Totolink X6000R V9.4.0cu.1360_B20241207 was found to contain a command injection vulnerability in the sub_4184C0 function via the tz parameter. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.
CVSS 6.5