CVE-2025-66436
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | erpnext | to 15.89.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Template Injection (SSTI) in the get_terms_and_conditions method of Frappe ERPNext up to version 15.89.0. It occurs because the method renders attacker-controlled Jinja2 templates using frappe.render_template() with a user-supplied context. Although a custom SandboxedEnvironment is used, dangerous globals like frappe.db.sql remain accessible, allowing an authenticated attacker who can create or modify Terms and Conditions documents to inject arbitrary Jinja expressions. This leads to server-side code execution in a restricted but unsafe context.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary server-side code within the application context. This can lead to leakage of sensitive database information and potentially other unauthorized actions on the server, compromising the confidentiality and integrity of the system.