Base Score

HIGH8.8

CVE-2025-30213

Frappe is a full-stack web application framework. Prior to versions 14.91.0 and 15.52.0, a system user was able to create certain documents in a specific way that could lead to remote code execution. Versions 14.9.1 and 15.52.0 contain a patch for the vulnerability. There's no workaround; an upgrade is required.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateMar 25, 2025, 15:15

Affected Versions(2)

frappe(PyPI)

Introduced0

Fixed14.91.0

LimitN/A

frappe(PyPI)

Introduced15.0.0

Fixed15.52.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
frappe(PyPI)	0	14.91.0	N/A
frappe(PyPI)	15.0.0	15.52.0	N/A

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

6.3

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

References

https://github.com/frappe/frappe/security/advisories/GHSA-v342-4xr9-x3q3

Base Score

HIGH8.8

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

6.3

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)