SQL Injection Vulnerability in Frappe ERPNext by Frappe
CVE-2025-52039

8.2HIGH

Key Information:

Vendor: Frappe
Status: ERPNext
Vendor: CVE Published:; 1 October 2025

What is CVE-2025-52039?

In Frappe ERPNext version 15.57.5, a security vulnerability exists in the function get_material_requests_based_on_supplier() found in material_request.py. This SQL injection flaw enables potential attackers to manipulate SQL queries via the txt parameter, thereby allowing unauthorized access to sensitive information stored in the database. This condition raises serious concerns regarding data integrity and confidentiality and necessitates immediate attention to patch the affected system.

References

https://github.com/Vietsunshine-Electronic-Solution-JSC/V...

https://github.com/frappe/erpnext/pull/49192/commits/de91...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 1, 2025
Vulnerability Reserved
Jun 16, 2025

JSON