CVE-2025-58439

ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation of parameters left certain endpoints vulnerable to error-based SQL Injection. Some information like version could be retrieved. This issue is fixed in versions 14.89.2 and 15.76.0.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
GitHub_MCNA
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
VendorProductVersion
frappeerpnext
𝑥
< 14.89.2
frappeerpnext
15.0.0 ≤
𝑥
< 15.76.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/frappe/erpnext/pull/49219
https://github.com/frappe/erpnext/pull/49220
https://github.com/frappe/erpnext/security/advisories/GHSA-fvjw-5w9q-6v39