Description
Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released for CVE-2025-52895. This vulnerability is fixed in 15.74.2 and 14.96.15.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/frappe/frappe/security/advisories/GHSA-6rpr-2hjx-w9vp
Patch x_refsource_misc
https://github.com/frappe/frappe/commit/24dd2d9420a7c68ce09875cb18586d1bf071c857
Patch x_refsource_misc
https://github.com/frappe/frappe/commit/abe2cc25e333cd794405d12caec4da0279a54e6e
Scores
CVSS v3
7.5
EPSS
0.0004
EPSS Percentile
11.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
frappe/frappe
< 14.96.15
Published
Aug 20, 2025
Tracked Since
Feb 18, 2026