SQL Injection Vulnerability in Frappe CRM by Frappe
CVE-2025-11461

7.1HIGH

Key Information:

Vendor

Frappe

Status
Frappe Crm
Vendor
CVE Published:
26 November 2025

What is CVE-2025-11461?

The Frappe CRM Dashboard Controller is susceptible to multiple SQL injection vulnerabilities due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. Attackers could exploit this flaw to execute arbitrary SQL queries, potentially compromising the integrity and confidentiality of the database. Affected version: Frappe CRM 1.53.1. It's crucial for users to apply patches and ensure their applications are secured against such vulnerabilities.

Affected Version(s)

Frappe CRM Linux 1.53.1

References

https://fluidattacks.com/advisories/oz
third-party-advisory
https://github.com/frappe/crm
product
https://github.com/frappe/crm/pull/1339
patch

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Cristian Vargas
JSON
.