CVE-2025-68929

Critical

Published: 29 December 2025

Published

29 December 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0025 47.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server,…

resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Enforces validation and sanitization of user-supplied inputs from crafted links to prevent server-side template injection leading to RCE.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of flaws like this RCE vulnerability in Frappe versions prior to 14.99.6 and 15.88.1.

AC-6 Least Privilege partial match

prevent

Limits the number of authenticated users with the specific permissions required to trigger the malicious template execution via least privilege enforcement.

Security SummaryAI

CVE-2025-68929 is a remote code execution vulnerability in Frappe, a full-stack web application framework. It affects versions prior to 14.99.6 and 15.88.1, where an authenticated user with specific permissions can be tricked into accessing a specially crafted link. This leads to the execution of a malicious template on the server. The issue is classified under CWE-1336 and carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

Exploitation requires an attacker to target an authenticated user with the requisite permissions, typically via social engineering such as phishing to induce the victim to access the crafted link. Successful exploitation results in arbitrary code execution on the server with high confidentiality, integrity, and availability impacts, and the changed scope amplifies the potential for broader system compromise.

Frappe's security advisory (GHSA-qq98-vfv9-xmxh) and release notes for versions 14.99.6 and 15.88.1 confirm the patches that address the vulnerability. No known workarounds exist, so administrators should prioritize upgrading affected installations.

Details

CWE(s): CWE-1336

Affected Products

frappe

≤ 14.99.6 · 15.0.0 — 15.88.1

MITRE ATT&CK Enterprise TechniquesAI

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE enables template injection (T1221) via crafted link in public-facing web framework (T1190), leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/frappe/frappe/releases/tag/v14.99.6
Release Notes · security-advisories@github.com
https://github.com/frappe/frappe/releases/tag/v15.88.1
Release Notes · security-advisories@github.com
https://github.com/frappe/frappe/security/advisories/GHSA-qq98-vfv9-xmxh
Third Party Advisory · security-advisories@github.com