Unrated severityOSV Advisory· Published Dec 15, 2025· Updated Dec 16, 2025

CVE-2025-66439

Description

An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doctype.payment_entry.payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the from_posting_date parameter, which is directly interpolated into the query without proper sanitization or parameter binding.

Affected products

Frappe/ErpnextOSV2 versions
4.0.0, 4.0.0-beta1, v10.0.0, …+ 1 more
- (no CPE)range: 4.0.0, 4.0.0-beta1, v10.0.0, …
- (no CPE)range: <=15.89.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

iamanc.github.io/post/erpnext-sqlimitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000