Primary

Context

Frappe ERPNext Error-Based SQL Injection Vulnerability

Vulnerability

Patched

A vulnerability allowing error-based SQL injection has been identified in Frappe ERPNext. This issue affects versions prior to 14.89.2 and 15.0.0 through 15.75.1. The vulnerability arises from a lack of parameter validation in certain endpoints, which could be exploited to retrieve information such as the application version.

Impact

Exploitation of this vulnerability allows for error-based SQL injection, where an attacker can manipulate SQL queries to extract information from the database or potentially execute arbitrary SQL commands.

Remediation

Users can upgrade to ERPNext versions 14.89.2 or 15.76.0 to address this vulnerability.

Added: Sep 6, 2025, 1:17 AM

Updated: Sep 6, 2025, 1:17 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Frappe ERPNext Error-Based SQL Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

frappe erpnext

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating