CVE-2025-52042

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions Frappe ERPNext version 15.57.5

Description The get rfq containing supplier() function located at erpnext/buying/doctype/request for quotation/request for quotation.py is susceptible to SQL Injection. An attacker can inject a SQL query through the txt parameter, potentially allowing extraction of all information from databases.

Recommendations Apply a fix that properly sanitizes the txt parameter used in the get rfq containing supplier() function.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2025-52042

Affected Products

Erpnext

CVE-2025-52042

Weakness Enumeration

Related Identifiers

Affected Products

References · 8