CVE-2025-67289

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.

critical 9.6 CVSS 3.1
Published: Dec 22, 2025
Modified: Jan 2, 2026
Vendor: Frappe
Product: Erpnext
Versions: 15.89.0

Description

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.

References

Related CVEs

CVE-2025-68929 critical · 9.0
Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially
CVE-2025-68928 medium · 5.4
Frappe CRM is an open-source customer relationship management tool. Prior to version 1.56.2, authenticated users could set crafted URLs in a website field, which were not sanitized