Home

Description

Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-29 | Updated 2025-12-29 | Assigner GitHub_M




CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Problem types

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

Product status

< 14.99.6
affected

>= 15.0.0, < 15.88.1
affected

References

github.com/...frappe/security/advisories/GHSA-qq98-vfv9-xmxh

github.com/frappe/frappe/releases/tag/v14.99.6

github.com/frappe/frappe/releases/tag/v15.88.1

cve.org (CVE-2025-68929)

nvd.nist.gov (CVE-2025-68929)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.