Stored XSS Vulnerability in ERPNext and Frappe Framework
CVE-2025-65267

9CRITICAL

Key Information:

Vendor: Frappe
Status: ERPNext
Vendor: CVE Published:; 3 December 2025

What is CVE-2025-65267?

In versions 15.83.2 of ERPNext and 15.86.0 of the Frappe Framework, a flaw in the validation of uploaded SVG avatar images can be exploited by attackers to inject malicious JavaScript code. This payload executes when an administrator views the avatar image, potentially allowing the attacker to perform actions such as account takeover, privilege escalation, or even a complete compromise of the ERPNext instance. This vulnerability underscores the need for enhanced input validation mechanisms to ensure user-uploaded content is adequately sanitized.

References

https://github.com/frappe/frappe

https://github.com/frappe/erpnext

https://github.com/PhDg1410/CVE/tree/main/CVE-2025-65267

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 3, 2025
Vulnerability Reserved
Nov 18, 2025

JSON