CVE-2025-65267

Published: Dec 3, 2025Modified: Dec 5, 2025

9.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Exploitability: 2.3 / Impact: 6.0

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.

Affected (2)

Products: Frappe: Erpnext, Frappe

2 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Frappe Erpnext	Version 15.83.2
Frappe Frappe	Version 15.86.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://github.com/PhDg1410/CVE/tree/main/CVE-2025-65267

Source: cve@mitre.org

Third Party Advisory

https://github.com/frappe/erpnext

Source: cve@mitre.org

Product

https://github.com/frappe/frappe

Source: cve@mitre.org

Product

Timeline

No history available yet.