SQL Injection Vulnerability in Frappe ERPNext Accounting Module
CVE-2025-66439

9.8CRITICAL

Key Information:

Vendor: Frappe
Status: ERPNext
Vendor: CVE Published:; 15 December 2025

What is CVE-2025-66439?

A vulnerability exists in the Frappe ERPNext accounting module due to improper handling of user-supplied data within the function get_outstanding_reference_documents(). This flaw enables attackers to exploit the from_posting_date parameter, allowing them to inject SQL statements directly into database queries. Consequently, this could lead to unauthorized access and extraction of sensitive data from the database, posing significant security risks to affected systems.

References

https://github.com/frappe/frappe/security

https://iamanc.github.io/post/erpnext-sqli

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 15, 2025
Vulnerability Reserved
Nov 30, 2025

JSON