ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the orderby and groupby parameters.
{ "versions": [ { "introduced": "0" }, { "last_affected": "15.67.0" } ] }
{ "versions": [ { "introduced": "0" }, { "last_affected": "15.72.4" } ] }
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-56381.json"