CVE Catalog
CVE-2025-67289
CriticalCVSS 9.6Exploitation Probability (EPSS)
Low risk0.40%
32th percentile - higher than 32% of all known CVEs
Summary
An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code by uploading a crafted XML file.
Risk Assessment
The risk for the organization includes remote code execution, which could lead to system compromise, data theft, or service disruption.
Recommendation
It is recommended to immediately update Frappe Framework to the latest patched version and implement file type validation in the Attachments module.
Original NVD description (English source)
An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.

