CVE Catalog

CVE-2025-67289

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile - higher than 32% of all known CVEs

Summary

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code by uploading a crafted XML file.

Risk Assessment

The risk for the organization includes remote code execution, which could lead to system compromise, data theft, or service disruption.

Recommendation

It is recommended to immediately update Frappe Framework to the latest patched version and implement file type validation in the Attachments module.

Original NVD description (English source)

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS