CVE-2025-66439

Name of the Vulnerable Software and Affected Versions Frappe ERPNext versions through 15.89.0

Description An issue exists in Frappe ERPNext that allows an attacker to extract arbitrary data from the database. The get outstanding reference documents() function, located at erpnext.accounts.doctype.payment entry.payment entry.py, is susceptible to SQL Injection. This is due to the direct interpolation of the from posting date parameter into a query without proper sanitization or parameter binding. The API endpoint is not explicitly mentioned. The vulnerable parameter is from posting date.

Recommendations Versions prior to 15.89.0 should be updated.