Frappé 15.86.0
Approved changes feed: RSS · Atom
cpe:2.3:a:frappe:frappe:15.86.0:*:*:*:*:*:*:*
part: a version: 15.86.0 update: *
| Vendor | Frappe (a51f8b94-1fb6-5e30-97d7-fbeb544c71ba) |
|---|---|
| Product | Frappe (8a44176d-533c-53c6-aaf4-17dd3ac01c2a) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/frappe/frappe |
purl2cpe | 2026-06-01 10:17:00.332694 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-65267 |
vulnerable | 2026-06-03 15:09:40.319264 |
Details available
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.
Published: 2025-12-03T00:00:00.000Z
Updated: 2025-12-03T15:13:30.219Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.