CVE-2025-65267
Published: 03 December 2025
Summary
CVE-2025-65267 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Frappe Erpnext. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique SVG Smuggling (T1027.017); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper validation of uploaded SVG avatar images by enforcing input validation mechanisms to block malicious JavaScript payloads.
Prevents execution of stored XSS payloads by filtering information output when administrators view the malicious avatar images.
Mitigates the vulnerability by implementing malicious code protection mechanisms at upload entry points to detect and block JavaScript embedded in SVG files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper validation of uploaded SVG images enables SVG Smuggling (T1027.017) by embedding malicious JavaScript for stored XSS execution upon admin viewing, facilitating exploitation of the public-facing ERPNext/Frappe web application (T1190).
NVD Description
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS).…
more
Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.
Deeper analysisAI
CVE-2025-65267, published on 2025-12-03, is a stored cross-site scripting (XSS) vulnerability (CWE-79) affecting ERPNext version 15.83.2 and Frappe Framework version 15.86.0. The issue arises from improper validation of uploaded SVG avatar images, which allows attackers to embed malicious JavaScript payloads within these files.
An attacker with low-privilege network access (PR:L) can exploit this by uploading a specially crafted SVG avatar containing JavaScript. The payload remains stored and executes only when an administrator clicks the image link to view the avatar, requiring user interaction (UI:R) but enabling a scoped impact (S:C). Successful exploitation can result in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially leading to administrator account takeover, privilege escalation, or full compromise of the affected ERPNext instance. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).
Mitigation details and potential patches can be found in the referenced advisories, including the proof-of-concept repository at https://github.com/PhDg1410/CVE/tree/main/CVE-2025-65267 and the official project repositories at https://github.com/frappe/erpnext and https://github.com/frappe/frappe.
Details
- CWE(s)