SQL Injection Vulnerability in Frappe ERPNext Software
CVE-2025-52040

8.2HIGH

Key Information:

Vendor: Frappe
Status: ERPNext
Vendor: CVE Published:; 1 October 2025

What is CVE-2025-52040?

Frappe ERPNext version 15.57.5 contains a SQL Injection vulnerability in the get_blanket_orders() function, located in the erpnext/controllers/queries.py file. This flaw allows an attacker to manipulate the blanket_order_type parameter, potentially enabling them to execute arbitrary SQL queries and gain unauthorized access to sensitive database information. Exploiting this vulnerability could lead to severe data breaches, making immediate patching and mitigation essential for affected users.

References

https://github.com/Vietsunshine-Electronic-Solution-JSC/V...

https://github.com/frappe/erpnext/pull/49192/commits/1db1...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 1, 2025
Vulnerability Reserved
Jun 16, 2025

JSON