CVE-2025-67289

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-67289

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67289.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-67289

Published

2025-12-22T18:16:16.947Z

Modified

2026-03-15T22:51:59.883798Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.

References

Affected packages

Git / github.com/frappe/erpnext

Affected ranges

Type

GIT

Repo

https://github.com/frappe/erpnext

Events

Introduced

Last affected

d8dab986fa7bdda88df74906df61df4c81e2c8b0

Introduced

Last affected

d8dab986fa7bdda88df74906df61df4c81e2c8b0

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "15.89.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "15.89.0"
        }
    ]
}

Affected versions

4.*

4.0.0

4.0.0-beta1

v10.*

v10.0.0

v10.0.1

v10.0.10

v10.0.11

v10.0.12

v10.0.13

v10.0.14

v10.0.15

v10.0.16

v10.0.17

v10.0.18

v10.0.19

v10.0.2

v10.0.20

v10.0.21

v10.0.22

v10.0.23

v10.0.3

v10.0.4

v10.0.5

v10.0.6

v10.0.7

v10.0.8

v10.0.9

v10.1.0

v10.1.1

v10.1.10

v10.1.11

v10.1.12

v10.1.13

v10.1.14

v10.1.15

v10.1.16

v10.1.17

v10.1.18

v10.1.19

v10.1.2

v10.1.20

v10.1.21

v10.1.22

v10.1.23

v10.1.24

v10.1.25

v10.1.26

v10.1.27

v10.1.28

v10.1.29

v10.1.3

v10.1.30

v10.1.31

v10.1.32

v10.1.33

v10.1.34

v10.1.35

v10.1.36

v10.1.37

v10.1.38

v10.1.39

v10.1.4

v10.1.40

v10.1.41

v10.1.42

v10.1.43

v10.1.44

v10.1.45

v10.1.46

v10.1.47

v10.1.48

v10.1.49

v10.1.5

v10.1.50

v10.1.51

v10.1.52

v10.1.53

v10.1.54

v10.1.55

v10.1.56

v10.1.57

v10.1.58

v10.1.59

v10.1.6

v10.1.60

v10.1.61

v10.1.62

v10.1.63

v10.1.64

v10.1.65

v10.1.66

v10.1.67

v10.1.68

v10.1.69

v10.1.7

v10.1.70

v10.1.71

v10.1.72

v10.1.73

v10.1.74

v10.1.75

v10.1.76

v10.1.77

v10.1.78

v10.1.79

v10.1.8

v10.1.80

v10.1.81

v10.1.9

v11.*

v11.0.0-beta

v11.0.1

v11.0.2

v11.0.3

v11.0.3-beta.10

v11.0.3-beta.11

v11.0.3-beta.12

v11.0.3-beta.13

v11.0.3-beta.14

v11.0.3-beta.15

v11.0.3-beta.16

v11.0.3-beta.17

v11.0.3-beta.18

v11.0.3-beta.19

v11.0.3-beta.2

v11.0.3-beta.20

v11.0.3-beta.21

v11.0.3-beta.22

v11.0.3-beta.23

v11.0.3-beta.24

v11.0.3-beta.25

v11.0.3-beta.26

v11.0.3-beta.27

v11.0.3-beta.28

v11.0.3-beta.29

v11.0.3-beta.3

v11.0.3-beta.30

v11.0.3-beta.31

v11.0.3-beta.32

v11.0.3-beta.33

v11.0.3-beta.34

v11.0.3-beta.35

v11.0.3-beta.36

v11.0.3-beta.37

v11.0.3-beta.4

v11.0.3-beta.5

v11.0.3-beta.6

v11.0.3-beta.7

v11.0.3-beta.8

v11.0.3-beta.9

v11.1.0

v11.1.1

v11.1.10

v11.1.11

v11.1.12

v11.1.13

v11.1.14

v11.1.15

v11.1.16

v11.1.17

v11.1.18

v11.1.19

v11.1.2

v11.1.20

v11.1.3

v11.1.4

v11.1.5

v11.1.6

v11.1.7

v11.1.8

v11.1.9

v12.*

v12.0.0

v12.0.1

v12.0.2

v12.0.3

v12.0.4

v12.0.5

v12.0.6

v12.0.7

v12.0.8

v12.1.0

v12.1.1

v12.1.2

v12.1.3

v12.1.4

v12.1.5

v12.1.6

v12.1.7

v12.1.8

v12.2.0

v13.*

v13.0.0

v13.0.0-beta.1

v13.0.0-beta.10

v13.0.0-beta.11

v13.0.0-beta.12

v13.0.0-beta.13

v13.0.0-beta.14

v13.0.0-beta.2

v13.0.0-beta.3

v13.0.0-beta.4

v13.0.0-beta.5

v13.0.0-beta.6

v13.0.0-beta.7

v13.0.0-beta.8

v13.0.0-beta.9

v13.0.1

v13.0.2

v13.1.0

v13.1.1

v13.2.0

v13.2.1

v13.3.0

v13.3.1

v13.4.0

v13.4.1

v13.5.0

v13.5.1

v13.5.2

v13.6.0

v13.7.0

v13.7.1

v13.8.0

v13.9.0

v14.*

v14.0.0-beta.2

v15.*

v15.0.0

v15.1.0

v15.10.0

v15.10.1

v15.10.2

v15.10.3

v15.10.4

v15.10.5

v15.10.6

v15.10.7

v15.10.8

v15.11.0

v15.11.1

v15.12.0

v15.12.1

v15.12.2

v15.13.0

v15.14.0

v15.14.1

v15.14.2

v15.14.3

v15.14.4

v15.14.5

v15.14.6

v15.14.7

v15.15.0

v15.16.0

v15.16.1

v15.16.2

v15.17.0

v15.17.1

v15.17.2

v15.17.3

v15.17.4

v15.17.5

v15.17.6

v15.18.0

v15.18.1

v15.18.2

v15.18.3

v15.19.0

v15.19.1

v15.19.2

v15.2.0

v15.20.0

v15.20.1

v15.20.2

v15.20.3

v15.20.4

v15.20.5

v15.20.6

v15.21.0

v15.21.1

v15.21.2

v15.22.0

v15.22.1

v15.22.2

v15.23.0

v15.23.1

v15.23.2

v15.23.3

v15.24.0

v15.24.1

v15.25.0

v15.26.0

v15.26.1

v15.27.0

v15.27.1

v15.27.2

v15.27.3

v15.27.4

v15.27.5

v15.27.6

v15.27.7

v15.28.0

v15.28.1

v15.28.2

v15.29.0

v15.29.1

v15.29.2

v15.29.3

v15.29.4

v15.3.0

v15.30.0

v15.31.0

v15.31.1

v15.31.2

v15.31.3

v15.31.4

v15.31.5

v15.32.0

v15.32.1

v15.33.0

v15.33.1

v15.33.2

v15.33.3

v15.33.4

v15.33.5

v15.34.0

v15.34.1

v15.34.2

v15.35.0

v15.35.1

v15.35.2

v15.36.0

v15.36.1

v15.36.2

v15.36.3

v15.36.4

v15.37.0

v15.38.0

v15.38.1

v15.38.2

v15.38.3

v15.38.4

v15.39.0

v15.39.1

v15.39.2

v15.39.3

v15.39.4

v15.39.5

v15.39.6

v15.4.0

v15.40.0

v15.41.0

v15.41.1

v15.41.2

v15.42.0

v15.43.0

v15.43.1

v15.43.2

v15.43.3

v15.44.0

v15.45.0

v15.45.1

v15.45.2

v15.45.3

v15.45.4

v15.45.5

v15.46.0

v15.46.1

v15.46.2

v15.47.0

v15.47.1

v15.47.2

v15.47.3

v15.47.4

v15.47.5

v15.48.0

v15.48.1

v15.48.2

v15.48.3

v15.48.4

v15.49.0

v15.49.1

v15.49.2

v15.49.3

v15.5.0

v15.50.0

v15.50.1

v15.51.0

v15.51.1

v15.51.2

v15.52.0

v15.53.0

v15.53.1

v15.53.2

v15.53.3

v15.53.4

v15.54.0

v15.54.1

v15.54.2

v15.54.3

v15.54.4

v15.54.5

v15.55.0

v15.55.1

v15.55.2

v15.55.3

v15.55.4

v15.55.5

v15.56.0

v15.57.0

v15.57.1

v15.57.2

v15.57.3

v15.57.4

v15.57.5

v15.58.0

v15.58.1

v15.58.2

v15.59.0

v15.6.0

v15.6.1

v15.60.0

v15.60.1

v15.60.2

v15.61.0

v15.61.1

v15.62.0

v15.63.0

v15.64.0

v15.64.1

v15.65.0

v15.65.1

v15.65.2

v15.65.3

v15.65.4

v15.66.0

v15.66.1

v15.67.0

v15.68.0

v15.69.0

v15.69.1

v15.69.2

v15.7.0

v15.70.0

v15.70.1

v15.70.2

v15.71.0

v15.71.1

v15.72.0

v15.72.1

v15.72.2

v15.72.3

v15.73.0

v15.73.1

v15.73.2

v15.74.0

v15.75.0

v15.75.1

v15.76.0

v15.77.0

v15.78.0

v15.78.1

v15.79.0

v15.79.1

v15.79.2

v15.8.0

v15.8.1

v15.8.2

v15.8.3

v15.80.0

v15.80.1

v15.81.0

v15.81.1

v15.81.2

v15.81.3

v15.82.0

v15.82.1

v15.82.2

v15.83.0

v15.83.1

v15.83.2

v15.84.0

v15.85.0

v15.85.1

v15.86.0

v15.87.0

v15.87.1

v15.87.2

v15.88.0

v15.88.1

v15.89.0

v15.9.0

v15.9.1

v3.*

v3.1.0

v3.1.1

v3.1.2

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.4.5

v3.4.6

v3.4.7

v3.4.8

v3.4.9

v3.5.0

v3.5.1

v3.6.0

v3.6.1

v3.6.2

v3.6.3

v3.6.4

v3.6.5

v3.6.6

v3.7.0

v3.7.1

v3.8.0

v3.8.1

v3.8.2

v3.8.3

v3.8.4

v3.8.5

v3.8.6

Other

v4-beta2

v4.*

v4.0.1

v4.10.0

v4.11.0

v4.11.1

v4.11.2

v4.12.0

v4.13.0

v4.13.1

v4.14.0

v4.15.0

v4.15.1

v4.15.2

v4.15.3

v4.15.4

v4.16.0

v4.17.0

v4.18.0

v4.18.1

v4.19.0

v4.20.0

v4.20.1

v4.20.2

v4.21.0

v4.21.1

v4.21.2

v4.21.3

v4.21.4

v4.22.0

v4.22.1

v4.22.2

v4.23.0

v4.24.0

v4.24.1

v4.24.2

v4.24.3

v4.24.4

v4.25.0

v4.25.1

v4.25.2

v4.25.3

v4.25.4

v4.25.5

v4.25.6

v4.25.7

v4.3.0

v4.4.0

v4.4.1

v4.4.2

v4.5.0

v4.5.1

v4.5.2

v4.6.0

v4.6.1

v4.6.2

v4.7.0

v4.7.1

v4.7.2

v4.8.0

v4.9.0

v4.9.1

v4.9.2

v4.9.3

v5.*

v5.0.0

v5.0.1

v5.0.10

v5.0.11

v5.0.12

v5.0.13

v5.0.14

v5.0.15

v5.0.16

v5.0.17

v5.0.18

v5.0.19

v5.0.2

v5.0.20

v5.0.21

v5.0.22

v5.0.23

v5.0.24

v5.0.25

v5.0.26

v5.0.27

v5.0.28

v5.0.29

v5.0.3

v5.0.4

v5.0.5

v5.0.6

v5.0.7

v5.0.8

v5.0.9

v5.1.0

v5.1.1

v5.1.2

v5.1.3

v5.1.4

v5.1.5

v5.1.6

v5.2.0

v5.2.1

v5.3.0

v5.3.1

v5.4.0

v5.4.1

v5.4.2

v5.5.0

v5.5.1

v5.6.0

v5.6.1

v5.6.2

v5.6.3

v5.6.4

v5.7.0

v5.7.1

v5.7.2

v5.7.3

v5.7.4

v5.7.5

v5.7.6

v5.7.7

v5.8.0

v5.8.1

v5.8.2

v6.*

v6.0.0

v6.0.1

v6.1.0

v6.1.1

v6.10.0

v6.10.1

v6.10.2

v6.11.0

v6.11.1

v6.11.2

v6.11.3

v6.12.0

v6.12.1

v6.12.10

v6.12.11

v6.12.2

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13.0

v6.13.1

v6.14.0

v6.14.1

v6.15.0

v6.15.1

v6.16.0

v6.16.1

v6.16.2

v6.16.3

v6.16.4

v6.17.0

v6.18.0

v6.18.1

v6.18.2

v6.18.3

v6.18.4

v6.19.0

v6.2.0

v6.2.1

v6.20.0

v6.21.0

v6.21.1

v6.21.2

v6.21.3

v6.21.4

v6.21.5

v6.21.6

v6.22.0

v6.22.1

v6.23.0

v6.23.1

v6.23.2

v6.23.3

v6.23.4

v6.23.5

v6.23.6

v6.23.7

v6.24.0

v6.24.1

v6.24.2

v6.24.3

v6.24.4

v6.24.5

v6.25.0

v6.25.1

v6.25.2

v6.25.3

v6.25.4

v6.25.5

v6.26.0

v6.27.0

v6.27.1

v6.27.10

v6.27.11

v6.27.12

v6.27.13

v6.27.14

v6.27.15

v6.27.16

v6.27.17

v6.27.18

v6.27.19

v6.27.2

v6.27.20

v6.27.21

v6.27.22

v6.27.23

v6.27.24

v6.27.25

v6.27.26

v6.27.3

v6.27.4

v6.27.5

v6.27.6

v6.27.7

v6.27.8

v6.27.9

v6.3.0

v6.3.1

v6.3.2

v6.4.0

v6.4.1

v6.4.2

v6.4.3

v6.4.4

v6.4.5

v6.4.6

v6.4.7

v6.5.0

v6.5.1

v6.5.2

v6.5.3

v6.6.0

v6.6.1

v6.6.2

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.7.0

v6.7.1

v6.7.2

v6.7.3

v6.7.4

v6.7.5

v6.7.6

v6.7.7

v6.7.8

v6.8.0

v6.8.1

v6.8.2

v6.8.3

v6.8.4

v6.9.0

v6.9.1

v6.9.2

v7.*

v7.0.0

v7.0.1

v7.0.10

v7.0.11

v7.0.12

v7.0.13

v7.0.14

v7.0.15

v7.0.16

v7.0.17

v7.0.18

v7.0.19

v7.0.2

v7.0.20

v7.0.21

v7.0.22

v7.0.23

v7.0.24

v7.0.25

v7.0.26

v7.0.27

v7.0.28

v7.0.29

v7.0.3

v7.0.30

v7.0.31

v7.0.32

v7.0.33

v7.0.34

v7.0.35

v7.0.36

v7.0.37

v7.0.38

v7.0.39

v7.0.4

v7.0.40

v7.0.41

v7.0.42

v7.0.43

v7.0.44

v7.0.45

v7.0.46

v7.0.47

v7.0.48

v7.0.49

v7.0.5

v7.0.50

v7.0.51

v7.0.52

v7.0.53

v7.0.54

v7.0.55

v7.0.56

v7.0.57

v7.0.58

v7.0.59

v7.0.6

v7.0.60

v7.0.61

v7.0.62

v7.0.63

v7.0.7

v7.0.8

v7.0.9

v7.1.0

v7.1.1

v7.1.10

v7.1.11

v7.1.12

v7.1.13

v7.1.14

v7.1.15

v7.1.16

v7.1.17

v7.1.18

v7.1.19

v7.1.2

v7.1.20

v7.1.21

v7.1.22

v7.1.23

v7.1.24

v7.1.25

v7.1.26

v7.1.27

v7.1.28

v7.1.29

v7.1.3

v7.1.4

v7.1.5

v7.1.6

v7.1.7

v7.1.8

v7.1.9

v7.2.0

v7.2.1

v7.2.10

v7.2.11

v7.2.12

v7.2.13

v7.2.14

v7.2.15

v7.2.16

v7.2.17

v7.2.18

v7.2.19

v7.2.2

v7.2.20

v7.2.21

v7.2.22

v7.2.23

v7.2.24

v7.2.25

v7.2.26

v7.2.27

v7.2.28

v7.2.29

v7.2.3

v7.2.30

v7.2.31

v7.2.32

v7.2.4

v7.2.5

v7.2.6

v7.2.7

v7.2.8

v7.2.9

v8.*

v8.0.0

v8.0.1

v8.0.10

v8.0.11

v8.0.12

v8.0.13

v8.0.14

v8.0.15

v8.0.16

v8.0.17

v8.0.18

v8.0.19

v8.0.2

v8.0.20

v8.0.21

v8.0.22

v8.0.23

v8.0.24

v8.0.25

v8.0.26

v8.0.27

v8.0.28

v8.0.29

v8.0.3

v8.0.30

v8.0.31

v8.0.32

v8.0.33

v8.0.34

v8.0.35

v8.0.36

v8.0.37

v8.0.38

v8.0.39

v8.0.4

v8.0.40

v8.0.41

v8.0.42

v8.0.43

v8.0.44

v8.0.45

v8.0.46

v8.0.47

v8.0.48

v8.0.49

v8.0.5

v8.0.50

v8.0.51

v8.0.6

v8.0.7

v8.0.8

v8.0.9

v8.1.0

v8.1.1

v8.1.2

v8.1.3

v8.1.4

v8.1.5

v8.1.6

v8.1.7

v8.10.0

v8.10.1

v8.10.2

v8.11.0

v8.11.1

v8.11.2

v8.11.3

v8.11.4

v8.11.5

v8.11.6

v8.2.0

v8.2.1

v8.2.2

v8.2.3

v8.2.4

v8.2.5

v8.3.0

v8.3.1

v8.3.2

v8.3.3

v8.3.4

v8.3.5

v8.3.6

v8.4.0

v8.4.1

v8.4.2

v8.4.3

v8.5.0

v8.5.1

v8.5.2

v8.5.3

v8.5.4

v8.5.5

v8.6.0

v8.6.1

v8.6.2

v8.6.3

v8.6.4

v8.6.5

v8.6.6

v8.7.0

v8.7.1

v8.7.2

v8.7.3

v8.8.0

v8.8.1

v8.8.2

v8.8.3

v8.8.4

v8.8.5

v8.8.6

v8.9.0

v8.9.1

v8.9.2

v9.*

v9.0.0

v9.0.1

v9.0.2

v9.0.3

v9.0.4

v9.0.5

v9.0.6

v9.0.7

v9.0.8

v9.0.9

v9.1.0

v9.1.1

v9.1.2

v9.1.3

v9.1.4

v9.1.5

v9.1.6

v9.1.7

v9.1.8

v9.2.0

v9.2.1

v9.2.10

v9.2.11

v9.2.12

v9.2.13

v9.2.14

v9.2.15

v9.2.16

v9.2.17

v9.2.18

v9.2.19

v9.2.2

v9.2.20

v9.2.21

v9.2.22

v9.2.23

v9.2.24

v9.2.3

v9.2.4

v9.2.5

v9.2.6

v9.2.7

v9.2.8

v9.2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67289.json"