Frappe may be vulnerable remote code execution due to server-side...

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Description

Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available.

AI Analysis

Remote code execution due to server-side template injection

Basic Information

ID CVE-2025-68929

Source GitHub_M

Published Dec 29, 2025 at 15:10

Modified Dec 29, 2025 at 16:13

Affected Product

Vendor frappe

Product frappe

Version < 14.99.6

Affected Versions frappe frappe < 14.99.6
frappe frappe >= 15.0.0, < 15.88.1

CWE Classification

CWE-1336

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Frappe

Product Frappe Framework

Version < 14.99.6, >= 15.0.0, < 15.88.1

References

{
    "lastseen": "",
    "description": "Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available.",
    "published": "2025-12-29T15:10:59.510Z",
    "modified": "2025-12-29T16:13:17.680Z",
    "type": "cve",
    "title": "Frappe may be vulnerable remote code execution due to server-side template injection",
    "source": "GitHub_M",
    "references": "https://github.com/frappe/frappe/security/advisories/GHSA-qq98-vfv9-xmxh\nhttps://github.com/frappe/frappe/releases/tag/v14.99.6\nhttps://github.com/frappe/frappe/releases/tag/v15.88.1",
    "id": "CVE-2025-68929",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1336"
    ],
    "cvelist": null,
    "sourceData": "frappe frappe < 14.99.6\nfrappe frappe >= 15.0.0, < 15.88.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "frappe",
    "version": "< 14.99.6",
    "vendor": "frappe",
    "ai_description": "Remote code execution due to server-side template injection",
    "ai_severity": "Critical",
    "ai_vendor": "Frappe",
    "ai_product": "Frappe Framework",
    "ai_version": "< 14.99.6, >= 15.0.0, < 15.88.1",
    "ai_score": 9.1
}

Frappe may be vulnerable remote code execution due to server-side template injection_CVE-2025-68929