Mohammed Aloli - Security Researcher - Exploit Intelligence Platform

CVE-2025-56379 WRITEUP MEDIUM WRITEUP

Frappe Erpnext - XSS

A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field.

CVSS 5.4

View Code

CVE-2025-56380 WRITEUP MEDIUM WRITEUP

Frappe Erpnext - SQL Injection

Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter

CVSS 6.5

View Code

CVE-2025-56381 WRITEUP MEDIUM WRITEUP

Frappe Erpnext - SQL Injection

ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.

CVSS 6.5

View Code