CVE-2025-65267

CVSS v3.1

9.0

Critical

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ERPNext version 15.83.2 Frappe Framework version 15.86.0

Description Improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected instance.

Recommendations Update ERPNext to a version newer than 15.83.2. Update Frappe Framework to a version newer than 15.86.0.

Exploit

Fix

LPE

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2025-65267

Affected Products

Erpnext

Frappe Framework

CVE-2025-65267

Weakness Enumeration

Related Identifiers

Affected Products

References · 9