CVE-2025-66205

critical

Description

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2.

References

https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9

https://github.com/frappe/frappe/commit/984c641bff9539b6126a01146096f133db6a955b

Details

Source: Mitre, NVD

Published: 2025-12-01

Updated: 2025-12-04

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.0003