Server-Side Template Injection in ERPNext by Frappe
CVE-2025-66436

4.3MEDIUM

Key Information:

Vendor: Frappe
Status: ERPNext
Vendor: CVE Published:; 15 December 2025

What is CVE-2025-66436?

A Server-Side Template Injection (SSTI) vulnerability exists in Frappe's ERPNext software due to insecure handling of user-supplied templates in the get_terms_and_conditions method. This flaw permits an authenticated user, who can create or modify Terms and Conditions documents, to inject arbitrary Jinja expressions. As a result, malicious users can execute unsafe code, including database queries, compromising the application's integrity and exposing sensitive information, such as database data. Despite the presence of a custom SandboxedEnvironment, dangerous global variables remain accessible, increasing the risk of exploit. Effective mitigation measures should be implemented to safeguard against such vulnerabilities.

References

https://www.notion.so/SSTI-bug-3-239e6086eadc8020aeecdaf1...

https://iamanc.github.io/post/erpnext-ssti-bug-3

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 15, 2025
Vulnerability Reserved
Nov 30, 2025

JSON