ГлавнаяУязвимости → CVE-2025-66440
8.8высокая

CVE-2025-66440

Описание

An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doctype/payment_entry/payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the to_posting_date parameter, which is directly interpolated into the query without proper sanitization or parameter binding.

Затрагиваемое ПО
Frappe Erpnext
CVSS
Балл8.8 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Источники
https://github.com/frappe/frappe/securityhttps://iamanc.github.io/post/erpnext-sqli