CVE-2025-66434

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Frappe ERPNext versions through 15.89.0

Description A Server-Side Template Injection (SSTI) issue exists in the get dunning letter text method. The function renders Jinja2 templates ()body text) using frappe.render template() with a user-supplied context ()doc). Despite the use of a SandboxedEnvironment, dangerous globals like frappe.db.sql remain accessible through get safe globals(). An authenticated attacker who can configure Dunning Type and its child table Dunning Letter Text can inject Jinja expressions, potentially leading to server-side code execution in a limited context and information disclosure from the database.

Recommendations Versions prior to 15.89.0 should be updated.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336CWE-94

Related Identifiers

CVE-2025-66434

Affected Products

Erpnext

CVE-2025-66434

Weakness Enumeration

Related Identifiers

Affected Products

References · 7