CVE-2025-66435

Name of the Vulnerable Software and Affected Versions Frappe ERPNext versions through 15.89.0

Description A Server-Side Template Injection (SSTI) issue exists in the get contract template function. This function renders Jinja2 templates, specifically the contract terms field, using frappe.render template() with a user-supplied context (doc). Despite the use of a SandboxedEnvironment, dangerous globals like frappe.db.sql remain accessible through get safe globals(). An authenticated attacker who can create or modify a Contract Template can inject Jinja expressions into the contract terms field, potentially leading to server-side code execution within a limited context and the leakage of database information.

Recommendations Versions prior to 15.89.0 should be updated.