CVE-2025-66440

Description

An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doctype/payment_entry/payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the to_posting_date parameter, which is directly interpolated into the query without proper sanitization or parameter binding.

PUBLISHED Reserved 2025-11-30 | Published 2025-12-15 | Updated 2025-12-16 | Assigner mitre

References

github.com/frappe/frappe/security

iamanc.github.io/post/erpnext-sqli

cve.org (CVE-2025-66440)

nvd.nist.gov (CVE-2025-66440)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.