Security Advisory

CVE-2025-65267

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2025-12-03 00:00:00

Last updated 2025-12-03 15:13:30

Assigner mitre

State PUBLISHED

Description

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.

← Browse all CVEs View on cve.org ↗