CVE 9 CRITICAL

CVE-2025-65267_CVE-2025-65267

December 3, 2025 invoker category_cve

9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Description

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.

AI Analysis

Stored cross-site scripting (XSS) vulnerability in ERPNext and Frappe Framework due to improper validation of uploaded SVG avatar images

Basic Information

ID CVE-2025-65267

Source mitre

Published Dec 3, 2025 at 00:00

Modified Dec 3, 2025 at 15:13

Affected Product

Vendor Frappe Technologies

Product ERPNext, Frappe Framework

Version 15.83.2, 15.86.0

Affected Versions n/a n/a n/a

CWE Classification

CWE-79

AI Assessment

AI Score 9 / 10

AI Severity Critical

Vendor Frappe Technologies

Product ERPNext, Frappe Framework

Version 15.83.2, 15.86.0

References

{
    "lastseen": "",
    "description": "In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.",
    "published": "2025-12-03T00:00:00.000Z",
    "modified": "2025-12-03T15:13:30.219Z",
    "type": "cve",
    "title": "CVE-2025-65267",
    "source": "mitre",
    "references": "https://github.com/frappe/frappe\nhttps://github.com/frappe/erpnext\nhttps://github.com/PhDg1410/CVE/tree/main/CVE-2025-65267",
    "id": "CVE-2025-65267",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ERPNext, Frappe Framework",
    "version": "15.83.2, 15.86.0",
    "vendor": "Frappe Technologies",
    "ai_description": "Stored cross-site scripting (XSS) vulnerability in ERPNext and Frappe Framework due to improper validation of uploaded SVG avatar images",
    "ai_severity": "Critical",
    "ai_vendor": "Frappe Technologies",
    "ai_product": "ERPNext, Frappe Framework",
    "ai_version": "15.83.2, 15.86.0",
    "ai_score": 9
}

💭 Join the Security Discussion ❌ Cancel Reply