CVE-2025-68929
Unknown Unknown - Not Provided
Remote Code Execution via Template Injection in Frappe Framework

Publication date: 2025-12-29

Last updated on: 2025-12-29

Assigner: GitHub, Inc.

Description
Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-29
Last Modified
2025-12-29
Generated
2026-05-07
AI Q&A
2025-12-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68929
EUVD
EUVD-2025-205602
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frappe frappe *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Frappe web application framework allows an authenticated user with specific permissions to be tricked into accessing a specially crafted link. Doing so could cause a malicious template to be executed on the server, leading to remote code execution.


How can this vulnerability impact me? :

The vulnerability can lead to remote code execution on the server, which means an attacker could run arbitrary code remotely. This can compromise the server's integrity, confidentiality, and availability, potentially leading to data breaches, system control loss, or service disruption.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Frappe to version 14.99.6 or 15.88.1 or later, as these versions contain the fix for this vulnerability. No known workarounds are available.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows remote code execution with high impact on confidentiality, integrity, and availability, which could lead to unauthorized access or manipulation of sensitive data. This poses significant risks to compliance with standards like GDPR and HIPAA that require protection of personal and sensitive information. Exploitation could result in data breaches or unauthorized data processing, thereby violating these regulations. Remediation by upgrading to fixed versions is critical to maintain compliance. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart