CVE-2025-66436

Name of the Vulnerable Software and Affected Versions Frappe ERPNext versions through 15.89.0

Description An SSTI (Server-Side Template Injection) vulnerability exists in the get terms and conditions method. The function renders attacker-controlled Jinja2 templates (terms) using frappe.render template() with a user-supplied context (doc). While a custom SandboxedEnvironment is used, dangerous globals like frappe.db.sql remain accessible through get safe globals(). An authenticated attacker who can create or modify Terms and Conditions documents can inject arbitrary Jinja expressions into the terms field, leading to server-side code execution within a limited context. This can allow for the leakage of database information.

Recommendations Versions prior to 15.89.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.