CVE-2025-65267
Published: 03 December 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-65267, published on 2025-12-03, is a stored cross-site scripting (XSS) vulnerability (CWE-79) affecting ERPNext version 15.83.2 and Frappe Framework version 15.86.0. The issue arises from improper validation of uploaded SVG avatar images, which allows attackers to embed malicious JavaScript payloads within these files.
An attacker with low-privilege network access (PR:L) can exploit this by uploading a specially crafted SVG avatar containing JavaScript. The payload remains stored and executes only when an administrator clicks the image link to view the avatar, requiring user interaction (UI:R) but enabling a scoped impact (S:C). Successful exploitation can result in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially leading to administrator account takeover, privilege escalation, or full compromise of the affected ERPNext instance. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).
Mitigation details and potential patches can be found in the referenced advisories, including the proof-of-concept repository at https://github.com/PhDg1410/CVE/tree/main/CVE-2025-65267 and the official project repositories at https://github.com/frappe/erpnext and https://github.com/frappe/frappe.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The improper validation of uploaded SVG images enables SVG Smuggling (T1027.017) by embedding malicious JavaScript for stored XSS execution upon admin viewing, facilitating exploitation of the public-facing ERPNext/Frappe web application (T1190).