Arbitrary File Upload Risk in Frappe Framework Attachments Module
CVE-2025-67289

9.6CRITICAL

Key Information:

Vendor: Frappe
Status: Frappe Framework
Vendor: CVE Published:; 22 December 2025

What is CVE-2025-67289?

An arbitrary file upload vulnerability exists within the Attachments module of the Frappe Framework version 15.89.0. This flaw permits attackers to upload crafted XML files, potentially leading to the execution of arbitrary code on the host system. Proper validation mechanisms must be put in place to mitigate this risk and safeguard sensitive information against unauthorized access and exploitation.

References

http://erpnext.com

http://frappe.com

https://github.com/vuquyen03/CVE/blob/main/CVE-2025-67289...

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 22, 2025
Vulnerability Reserved
Dec 8, 2025

JSON