Arbitrary File Upload Risk in Frappe Framework Attachments Module
CVE-2025-67289

9.6CRITICAL

Key Information:

Vendor: Frappe
Status: Frappe Framework
Vendor: CVE Published:; 22 December 2025

What is CVE-2025-67289?

An arbitrary file upload vulnerability exists within the Attachments module of the Frappe Framework version 15.89.0. This flaw permits attackers to upload crafted XML files, potentially leading to the execution of arbitrary code on the host system. Proper validation mechanisms must be put in place to mitigate this risk and safeguard sensitive information against unauthorized access and exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

http://erpnext.com

http://frappe.com

https://github.com/vuquyen03/CVE/blob/main/CVE-2025-67289...

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 22, 2025
Vulnerability Reserved
Dec 8, 2025

JSON

Frappe

What is CVE-2025-67289?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.