CVE-2025-65267

Source
https://cve.org/CVERecord?id=CVE-2025-65267
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65267.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-65267
Published
2025-12-03T15:15:55.103Z
Modified
2026-04-10T05:34:03.473184Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.

References

Affected packages

Git / github.com/frappe/erpnext

Affected ranges

Type
GIT
Repo
https://github.com/frappe/erpnext
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "15.83.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "15.86.0"
        }
    ]
}

Affected versions

4.*
4.0.0
4.0.0-beta1
v10.*
v10.0.0
v10.0.1
v10.0.2
v11.*
v11.0.0-beta
v12.*
v12.0.0
v12.0.1
v12.0.2
v12.0.3
v12.0.4
v12.0.5
v12.0.6
v12.0.7
v12.0.8
v12.1.0
v12.1.1
v12.1.2
v12.1.3
v12.1.4
v12.1.5
v12.1.6
v14.*
v14.0.0-beta.2
v15.*
v15.0.0
v15.1.0
v15.10.0
v15.10.1
v15.10.2
v15.10.3
v15.10.4
v15.10.5
v15.10.6
v15.10.7
v15.10.8
v15.11.0
v15.11.1
v15.12.0
v15.12.1
v15.12.2
v15.13.0
v15.14.0
v15.14.1
v15.14.2
v15.14.3
v15.14.4
v15.14.5
v15.14.6
v15.14.7
v15.15.0
v15.16.0
v15.16.1
v15.16.2
v15.17.0
v15.17.1
v15.17.2
v15.17.3
v15.17.4
v15.17.5
v15.17.6
v15.18.0
v15.18.1
v15.18.2
v15.18.3
v15.19.0
v15.19.1
v15.19.2
v15.2.0
v15.20.0
v15.20.1
v15.20.2
v15.20.3
v15.20.4
v15.20.5
v15.20.6
v15.21.0
v15.21.1
v15.21.2
v15.22.0
v15.22.1
v15.22.2
v15.23.0
v15.23.1
v15.23.2
v15.23.3
v15.24.0
v15.24.1
v15.25.0
v15.26.0
v15.26.1
v15.27.0
v15.27.1
v15.27.2
v15.27.3
v15.27.4
v15.27.5
v15.27.6
v15.27.7
v15.28.0
v15.28.1
v15.28.2
v15.29.0
v15.29.1
v15.29.2
v15.29.3
v15.29.4
v15.3.0
v15.30.0
v15.31.0
v15.31.1
v15.31.2
v15.31.3
v15.31.4
v15.31.5
v15.32.0
v15.32.1
v15.33.0
v15.33.1
v15.33.2
v15.33.3
v15.33.4
v15.33.5
v15.34.0
v15.34.1
v15.34.2
v15.35.0
v15.35.1
v15.35.2
v15.36.0
v15.36.1
v15.36.2
v15.36.3
v15.36.4
v15.37.0
v15.38.0
v15.38.1
v15.38.2
v15.38.3
v15.38.4
v15.39.0
v15.39.1
v15.39.2
v15.39.3
v15.39.4
v15.39.5
v15.39.6
v15.4.0
v15.40.0
v15.41.0
v15.41.1
v15.41.2
v15.42.0
v15.43.0
v15.43.1
v15.43.2
v15.43.3
v15.44.0
v15.45.0
v15.45.1
v15.45.2
v15.45.3
v15.45.4
v15.45.5
v15.46.0
v15.46.1
v15.46.2
v15.47.0
v15.47.1
v15.47.2
v15.47.3
v15.47.4
v15.47.5
v15.48.0
v15.48.1
v15.48.2
v15.48.3
v15.48.4
v15.49.0
v15.49.1
v15.49.2
v15.49.3
v15.5.0
v15.50.0
v15.50.1
v15.51.0
v15.51.1
v15.51.2
v15.52.0
v15.53.0
v15.53.1
v15.53.2
v15.53.3
v15.53.4
v15.54.0
v15.54.1
v15.54.2
v15.54.3
v15.54.4
v15.54.5
v15.55.0
v15.55.1
v15.55.2
v15.55.3
v15.55.4
v15.55.5
v15.56.0
v15.57.0
v15.57.1
v15.57.2
v15.57.3
v15.57.4
v15.57.5
v15.58.0
v15.58.1
v15.58.2
v15.59.0
v15.6.0
v15.6.1
v15.60.0
v15.60.1
v15.60.2
v15.61.0
v15.61.1
v15.62.0
v15.63.0
v15.64.0
v15.64.1
v15.65.0
v15.65.1
v15.65.2
v15.65.3
v15.65.4
v15.66.0
v15.66.1
v15.67.0
v15.68.0
v15.69.0
v15.69.1
v15.69.2
v15.7.0
v15.70.0
v15.70.1
v15.70.2
v15.71.0
v15.71.1
v15.72.0
v15.72.1
v15.72.2
v15.72.3
v15.73.0
v15.73.1
v15.73.2
v15.74.0
v15.75.0
v15.75.1
v15.76.0
v15.77.0
v15.78.0
v15.78.1
v15.79.0
v15.79.1
v15.79.2
v15.8.0
v15.8.1
v15.8.2
v15.8.3
v15.80.0
v15.80.1
v15.81.0
v15.81.1
v15.81.2
v15.81.3
v15.82.0
v15.82.1
v15.82.2
v15.83.0
v15.83.1
v15.83.2
v15.84.0
v15.85.0
v15.85.1
v15.86.0
v15.9.0
v15.9.1
v3.*
v3.1.0
v3.1.1
v3.1.2
Other
v4-beta2
v4.*
v4.0.1
v4.10.0
v4.11.0
v4.11.1
v4.11.2
v4.12.0
v4.13.0
v4.13.1
v4.14.0
v4.15.0
v4.15.1
v4.15.2
v4.15.3
v4.15.4
v4.16.0
v4.17.0
v4.18.0
v4.18.1
v4.19.0
v4.20.0
v4.20.1
v4.20.2
v4.21.0
v4.21.1
v4.21.2
v4.21.3
v4.21.4
v4.22.0
v4.22.1
v4.22.2
v4.23.0
v4.24.0
v4.24.1
v4.24.2
v4.24.3
v4.24.4
v4.25.0
v4.25.1
v4.25.2
v4.25.3
v4.25.4
v4.25.5
v4.25.6
v4.25.7
v4.3.0
v4.4.0
v4.4.1
v4.4.2
v4.5.0
v4.5.1
v4.5.2
v4.6.0
v4.6.1
v4.6.2
v4.7.0
v4.7.1
v4.7.2
v4.8.0
v4.9.0
v4.9.1
v4.9.2
v4.9.3
v5.*
v5.0.0
v5.0.1
v5.0.10
v5.0.11
v5.0.12
v5.0.13
v5.0.14
v5.0.15
v5.0.16
v5.0.17
v5.0.18
v5.0.19
v5.0.2
v5.0.20
v5.0.21
v5.0.22
v5.0.23
v5.0.24
v5.0.25
v5.0.26
v5.0.27
v5.0.28
v5.0.29
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.1.4
v5.1.5
v5.1.6
v5.2.0
v5.2.1
v5.3.0
v5.3.1
v5.4.0
v5.4.1
v5.4.2
v5.5.0
v5.5.1
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.7.4
v5.7.5
v5.7.6
v5.7.7
v5.8.0
v5.8.1
v5.8.2
v6.*
v6.0.0
v6.0.1
v6.1.0
v6.1.1
v6.10.0
v6.10.1
v6.10.2
v6.11.0
v6.11.1
v6.11.2
v6.11.3
v6.12.0
v6.12.1
v6.12.10
v6.12.11
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13.0
v6.13.1
v6.14.0
v6.14.1
v6.15.0
v6.15.1
v6.16.0
v6.16.1
v6.16.2
v6.16.3
v6.16.4
v6.17.0
v6.18.0
v6.18.1
v6.18.2
v6.18.3
v6.18.4
v6.19.0
v6.2.0
v6.2.1
v6.20.0
v6.21.0
v6.21.1
v6.21.2
v6.21.3
v6.21.4
v6.21.5
v6.21.6
v6.22.0
v6.22.1
v6.23.0
v6.23.1
v6.23.2
v6.23.3
v6.23.4
v6.23.5
v6.23.6
v6.23.7
v6.24.0
v6.24.1
v6.24.2
v6.24.3
v6.24.4
v6.24.5
v6.25.0
v6.25.1
v6.25.2
v6.25.3
v6.25.4
v6.25.5
v6.26.0
v6.27.0
v6.27.1
v6.27.10
v6.27.11
v6.27.12
v6.27.13
v6.27.14
v6.27.15
v6.27.16
v6.27.17
v6.27.18
v6.27.19
v6.27.2
v6.27.20
v6.27.21
v6.27.22
v6.27.23
v6.27.24
v6.27.25
v6.27.26
v6.27.3
v6.27.4
v6.27.5
v6.27.6
v6.27.7
v6.27.8
v6.27.9
v6.3.0
v6.3.1
v6.3.2
v6.4.0
v6.4.1
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.5.0
v6.5.1
v6.5.2
v6.5.3
v6.6.0
v6.6.1
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7
v6.7.8
v6.8.0
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.9.0
v6.9.1
v6.9.2
v7.*
v7.0.0
v7.0.1
v7.0.10
v7.0.11
v7.0.12
v7.0.13
v7.0.14
v7.0.15
v7.0.16
v7.0.17
v7.0.18
v7.0.19
v7.0.2
v7.0.20
v7.0.21
v7.0.22
v7.0.23
v7.0.24
v7.0.25
v7.0.26
v7.0.27
v7.0.28
v7.0.29
v7.0.3
v7.0.30
v7.0.31
v7.0.32
v7.0.33
v7.0.34
v7.0.35
v7.0.36
v7.0.37
v7.0.38
v7.0.39
v7.0.4
v7.0.40
v7.0.41
v7.0.42
v7.0.43
v7.0.44
v7.0.45
v7.0.46
v7.0.47
v7.0.48
v7.0.49
v7.0.5
v7.0.50
v7.0.51
v7.0.52
v7.0.53
v7.0.54
v7.0.55
v7.0.56
v7.0.57
v7.0.58
v7.0.59
v7.0.6
v7.0.60
v7.0.61
v7.0.62
v7.0.63
v7.0.7
v7.0.8
v7.0.9
v7.1.0
v7.1.1
v7.1.10
v7.1.11
v7.1.12
v7.1.13
v7.1.14
v7.1.15
v7.1.16
v7.1.17
v7.1.18
v7.1.19
v7.1.2
v7.1.20
v7.1.21
v7.1.22
v7.1.23
v7.1.24
v7.1.25
v7.1.26
v7.1.27
v7.1.28
v7.1.29
v7.1.3
v7.1.4
v7.1.5
v7.1.6
v7.1.7
v7.1.8
v7.1.9
v7.2.0
v7.2.1
v7.2.10
v7.2.11
v7.2.12
v7.2.13
v7.2.14
v7.2.15
v7.2.16
v7.2.17
v7.2.18
v7.2.19
v7.2.2
v7.2.20
v7.2.21
v7.2.22
v7.2.23
v7.2.24
v7.2.25
v7.2.26
v7.2.27
v7.2.28
v7.2.29
v7.2.3
v7.2.30
v7.2.31
v7.2.32
v7.2.4
v7.2.5
v7.2.6
v7.2.7
v7.2.8
v7.2.9
v8.*
v8.0.0
v8.0.1
v8.0.10
v8.0.11
v8.0.12
v8.0.13
v8.0.14
v8.0.15
v8.0.16
v8.0.17
v8.0.18
v8.0.19
v8.0.2
v8.0.20
v8.0.21
v8.0.22
v8.0.23
v8.0.24
v8.0.25
v8.0.26
v8.0.27
v8.0.28
v8.0.29
v8.0.3
v8.0.30
v8.0.31
v8.0.32
v8.0.33
v8.0.34
v8.0.35
v8.0.36
v8.0.37
v8.0.38
v8.0.39
v8.0.4
v8.0.40
v8.0.41
v8.0.42
v8.0.43
v8.0.44
v8.0.45
v8.0.46
v8.0.47
v8.0.48
v8.0.49
v8.0.5
v8.0.50
v8.0.51
v8.0.6
v8.0.7
v8.0.8
v8.0.9
v8.1.0
v8.1.1
v8.1.2
v8.1.3
v8.1.4
v8.1.5
v8.1.6
v8.1.7
v8.10.0
v8.10.1
v8.10.2
v8.11.0
v8.11.1
v8.11.2
v8.11.3
v8.11.4
v8.11.5
v8.11.6
v8.2.0
v8.2.1
v8.2.2
v8.2.3
v8.2.4
v8.2.5
v8.3.0
v8.3.1
v8.3.2
v8.3.3
v8.3.4
v8.3.5
v8.3.6
v8.4.0
v8.4.1
v8.4.2
v8.4.3
v8.5.0
v8.5.1
v8.5.2
v8.5.3
v8.5.4
v8.5.5
v8.6.0
v8.6.1
v8.6.2
v8.6.3
v8.6.4
v8.6.5
v8.6.6
v8.7.0
v8.7.1
v8.7.2
v8.7.3
v8.8.0
v8.8.1
v8.8.2
v8.8.3
v8.8.4
v8.8.5
v8.8.6
v8.9.0
v8.9.1
v8.9.2
v9.*
v9.0.0
v9.0.1
v9.0.2
v9.0.3
v9.0.4
v9.0.5
v9.0.6
v9.0.7
v9.0.8
v9.0.9
v9.1.0
v9.1.1
v9.1.2
v9.1.3
v9.1.4
v9.1.5
v9.1.6
v9.1.7
v9.1.8
v9.2.0
v9.2.1
v9.2.10
v9.2.11
v9.2.12
v9.2.13
v9.2.14
v9.2.15
v9.2.16
v9.2.17
v9.2.18
v9.2.19
v9.2.2
v9.2.20
v9.2.21
v9.2.22
v9.2.23
v9.2.24
v9.2.3
v9.2.4
v9.2.5
v9.2.6
v9.2.7
v9.2.8
v9.2.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65267.json"