Base Score

HIGH7.5

CVE-2025-30217

Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for the issue. No known workarounds are available.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateMar 26, 2025, 17:15

Affected Versions(2)

frappe(PyPI)

Introduced0

Fixed14.93.2

LimitN/A

frappe(PyPI)

Introduced15.0.0

Fixed15.55.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
frappe(PyPI)	0	14.93.2	N/A
frappe(PyPI)	15.0.0	15.55.0	N/A

Weakness Type (CWE):CWE-89

CVSS Metrics

Base Score

6.6

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

References

https://github.com/frappe/frappe/security/advisories/GHSA-6phg-4wmq-h5h3

Base Score

HIGH7.5

Weakness Type (CWE):CWE-89

CVSS Metrics

Base Score

6.6

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)