Error-Based SQL Injection Vulnerability in Frappe Framework
CVE-2025-66205

7.1HIGH

Key Information:

Vendor: Frappe
Status: Frappe
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66205?

The Frappe Framework, a comprehensive web application framework, experienced a vulnerability due to insufficient validation of parameters in a specific endpoint. This flaw rendered the system susceptible to error-based SQL injection, allowing an attacker to extract sensitive information, including the version of the software. This issue has been addressed in updates 15.86.0 and 14.99.2, reinforcing the importance of keeping software up to date to mitigate potential risks.

Affected Version(s)

frappe >= 15.0.0, < 15.86.0 < 15.0.0, 15.86.0

frappe < 14.99.2 < 14.99.2

References

https://github.com/frappe/frappe/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/frappe/frappe/commit/984c641bff9539b61...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 24, 2025

CVE-2025-66205 Data

JSON