Unrated severityOSV Advisory· Published Dec 3, 2025· Updated Dec 3, 2025

CVE-2025-65267

Description

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.

Affected products

Frappe/ErpnextOSV2 versions
4.0.0, 4.0.0-beta1, v10.0.0, …+ 1 more
- (no CPE)range: 4.0.0, 4.0.0-beta1, v10.0.0, …
- (no CPE)range: v15.83.2
Frappe/Frappe Frameworkllm-fuzzy
Range: v15.86.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/PhDg1410/CVE/tree/main/CVE-2025-65267mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000