SQL Injection Vulnerability in Frappe ERPNext by Frappe
CVE-2025-66440

9.8CRITICAL

Key Information:

Vendor: Frappe
Status: ERPNext
Vendor: CVE Published:; 15 December 2025

What is CVE-2025-66440?

A vulnerability has been identified in Frappe ERPNext, specifically in version 15.89.0 of the function get_outstanding_reference_documents(). This issue allows attackers to perform SQL Injection attacks by using the to_posting_date parameter. The parameter is directly interpolated into the SQL query, enabling unauthorized access to sensitive database information without adequate sanitization or parameter binding, posing a severe risk to the security of valuable data.

References

https://github.com/frappe/frappe/security

https://iamanc.github.io/post/erpnext-sqli

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 15, 2025
Vulnerability Reserved
Nov 30, 2025

JSON