Unrated severityNVD Advisory· Published Sep 6, 2025· Updated Sep 8, 2025

ERP: Possibility of SQL injection due to missing validation

CVE-2025-58439

Description

ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation of parameters left certain endpoints vulnerable to error-based SQL Injection. Some information like version could be retrieved. This issue is fixed in versions 14.89.2 and 15.76.0.

Affected products

Wp Erp/Wp Erpllm-fuzzy
Range: <14.89.2 || >=15.0.0 <15.76.0
Frappe/Erpnextv5
Range: >=15.0.0, < 15.76.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/frappe/erpnext/pull/49219mitrex_refsource_MISC
github.com/frappe/erpnext/pull/49220mitrex_refsource_MISC
github.com/frappe/erpnext/security/advisories/GHSA-fvjw-5w9q-6v39mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000