CVE-2025-66438
CVE-2025-66438 is a high-severity vulnerability in Frappe Erpnext with a CVSS 3.x base score of 8.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-94.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- EPSS exploit prediction: 0% (35th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-203388
- Weakness: CWE-94
- Affected product: Frappe Erpnext
- Published:
- Last modified:
Description
A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of the html field inside a Print Format document using frappe.render_template(template, doc) via the get_rendered_template() call chain. Although ERPNext wraps Jinja2 in a SandboxedEnvironment, it exposes sensitive functions such as frappe.db.sql through get_safe_globals(). An authenticated attacker with permission to create or modify a Print Format can inject arbitrary Jinja expressions into the html field. Once the malicious Print Format is saved, the attacker can call get_html_and_style() with a target document (e.g., Supplier or Sales Invoice) to trigger the render process. This leads to information disclosure from the database, such as database version, schema details, or sensitive values, depending on the injected payload. Exploitation flow: Create a Print Format with SSTI payload in the html field; call the get_html_and_style() API; triggers frappe.render_template(template, doc) inside get_rendered_template(); leaks database information via frappe.db.sql or other exposed globals.
Frequently asked questions
- What is CVE-2025-66438?
- A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of the html field inside a Print Format document using frappe.render_template(template, doc) via the get_rendered_template() call chain. Although ERPNext wraps Jinja2 in a SandboxedEnvironment, it exposes sensitive functions such as frappe.db.sql through get_safe_globals(). An authenticated attacker with permission to create or modify a Print Format can inject arbitrary Jinja expressions into the html field. Once the malicious Print Format is saved, the attacker can call get_html_and_style() with a target document (e.g., Supplier or Sales Invoice) to trigger the render process. This leads to information disclosure from the database, such as database version, schema details, or sensitive values, depending on the injected payload. Exploitation flow: Create a Print Format with SSTI payload in the html field; call the get_html_and_style() API; triggers frappe.render_template(template, doc) inside get_rendered_template(); leaks database information via frappe.db.sql or other exposed globals.
- How severe is CVE-2025-66438?
- CVE-2025-66438 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-66438 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (35th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-66438?
- CVE-2025-66438 affects Frappe Erpnext. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-66438?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-66438 have an EU (EUVD) identifier?
- Yes. CVE-2025-66438 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-203388.
- When was CVE-2025-66438 published?
- CVE-2025-66438 was published on 2025-12-15 and last updated on 2026-06-17.
References
- https://iamanc.github.io/post/erpnext-ssti-bug-5
- https://www.notion.so/SSTI-bug-5-239e6086eadc80a48f17c1257a604d2c?source=copy_link
Affected products (1)
- cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*
More vulnerabilities in Frappe Erpnext
- CVE-2026-44442 — Critical (CVSS 9.9): ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to…
- CVE-2026-38431 — Critical (CVSS 9.8): ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to…
- CVE-2025-67289 — Critical (CVSS 9.6): An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to…
- CVE-2026-31017 — Critical (CVSS 9.1): A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and…
- CVE-2026-27471 — Critical (CVSS 9.1): ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through…
- CVE-2025-65267 — Critical (CVSS 9.0): In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers…
All CVEs affecting Frappe Erpnext →
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.