Unrated severityOSV Advisory· Published Dec 22, 2025· Updated Dec 22, 2025

CVE-2025-67289

Description

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.

Affected products

Frappe/ErpnextOSV
Range: 4.0.0, 4.0.0-beta1, v10.0.0, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

erpnext.commitre
frappe.commitre
github.com/vuquyen03/CVE/blob/main/CVE-2025-67289/README.mdmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000