SQL Injection Vulnerability in Frappe Web Application Framework
CVE-2025-52895

8.7HIGH

Key Information:

Vendor

Frappe

Status
Frappe
Vendor
CVE Published:
30 June 2025

What is CVE-2025-52895?

Frappe, a comprehensive web application framework, contains a vulnerability allowing SQL injection through crafted requests. This flaw enables unauthorized access to sensitive data, compromising the security of applications built on the framework. The vulnerability has been addressed in the latest releases, 14.94.3 and 15.58.0, making it essential for users to upgrade to these versions to safeguard their systems against potential exploitation.

Affected Version(s)

frappe < 15.58.0 < 15.58.0

frappe < 14.94.3 < 14.94.3

References

https://github.com/frappe/frappe/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/frappe/frappe/pull/31526
x_refsource_MISC
https://github.com/frappe/frappe/commit/c795e351be0330701...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-52895 : SQL Injection Vulnerability in Frappe Web Application Framework