VYPR
Unrated severityOSV Advisory· Published Dec 29, 2025· Updated Dec 29, 2025

Frappe may be vulnerable remote code execution due to server-side template injection

CVE-2025-68929

Description

Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Frappe/FrappeOSV2 versions
    12.0.0, 4.0.0, 4.0.0-beta1, …+ 1 more
    • (no CPE)range: 12.0.0, 4.0.0, 4.0.0-beta1, …
    • (no CPE)range: <14.99.6 or <15.88.1

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.