CVE-2025-68929
Published: 29 December 2025
Summary
CVE-2025-68929 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Frappe Frappe. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Template Injection (T1221); ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation and sanitization of user-supplied inputs from crafted links to prevent server-side template injection leading to RCE.
Requires timely identification, reporting, and patching of flaws like this RCE vulnerability in Frappe versions prior to 14.99.6 and 15.88.1.
Limits the number of authenticated users with the specific permissions required to trigger the malicious template execution via least privilege enforcement.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables template injection (T1221) via crafted link in public-facing web framework (T1190), leading to RCE.
NVD Description
Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server,…
more
resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available.
Deeper analysisAI
CVE-2025-68929 is a remote code execution vulnerability in Frappe, a full-stack web application framework. It affects versions prior to 14.99.6 and 15.88.1, where an authenticated user with specific permissions can be tricked into accessing a specially crafted link. This leads to the execution of a malicious template on the server. The issue is classified under CWE-1336 and carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).
Exploitation requires an attacker to target an authenticated user with the requisite permissions, typically via social engineering such as phishing to induce the victim to access the crafted link. Successful exploitation results in arbitrary code execution on the server with high confidentiality, integrity, and availability impacts, and the changed scope amplifies the potential for broader system compromise.
Frappe's security advisory (GHSA-qq98-vfv9-xmxh) and release notes for versions 14.99.6 and 15.88.1 confirm the patches that address the vulnerability. No known workarounds exist, so administrators should prioritize upgrading affected installations.
Details
- CWE(s)