CVE-2025-66440

Name of the Vulnerable Software and Affected Versions Frappe ERPNext versions through 15.89.0

Description A SQL injection issue exists in Frappe ERPNext. The get outstanding reference documents() function within the erpnext/accounts/doctype/payment entry/payment entry.py file is susceptible to exploitation. An attacker can extract data from the database by injecting SQL payloads through the to posting date parameter. This parameter is directly incorporated into database queries without adequate sanitization or parameter binding.

Recommendations Versions prior to 15.89.0 are recommended to be updated.