CVE-2025-11461
HIGHFrappe CRM 1.53.1 - SQL Injection in Dashboard Controller
Title source: llmDescription
Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.
References (3)
Core 3
Core References
Exploit, Third Party Advisory third-party-advisory
https://fluidattacks.com/advisories/oz
Product product
https://github.com/frappe/crm
Issue Tracking, Patch patch
https://github.com/frappe/crm/pull/1339
Scores
CVSS v3
8.8
EPSS
0.0031
EPSS Percentile
22.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (1)
frappe/frappe_crm
1.53.1
Published
Nov 26, 2025
Tracked Since
Feb 18, 2026