Frappe up to 14.96.9/15.71.x tag.py add_tag dt sql injection

Summaryinfo

A vulnerability was found in Frappe up to 14.96.9/15.71.x. It has been declared as critical. Impacted is the function add_tag of the file frappe/desk/doctype/tag/tag.py. The manipulation of the argument dt results in sql injection. This vulnerability is known as CVE-2025-52048. It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, was found in Frappe up to 14.96.9/15.71.x. Affected is the function add_tag of the file frappe/desk/doctype/tag/tag.py. The manipulation of the argument dt with an unknown input leads to a sql injection vulnerability. CWE is classifying the issue as CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the `dt` parameter.

The advisory is shared for download at github.com. This vulnerability is traded as CVE-2025-52048 since 06/16/2025. The exploitability is told to be easy. It is possible to launch the attack remotely. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1505.

Upgrading to version 14.96.10 or 15.72.0 eliminates this vulnerability.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Name

• Frappe

Version

• 14.96.0
• 14.96.1
• 14.96.2
• 14.96.3
• 14.96.4
• 14.96.5
• 14.96.6
• 14.96.7
• 14.96.8
• 14.96.9
• 15.0
• 15.1
• 15.2
• 15.3
• 15.4
• 15.5
• 15.6
• 15.7
• 15.8
• 15.9
• 15.10
• 15.11
• 15.12
• 15.13
• 15.14
• 15.15
• 15.16
• 15.17
• 15.18
• 15.19
• 15.20
• 15.21
• 15.22
• 15.23
• 15.24
• 15.25
• 15.26
• 15.27
• 15.28
• 15.29
• 15.30
• 15.31
• 15.32
• 15.33
• 15.34
• 15.35
• 15.36
• 15.37
• 15.38
• 15.39
• 15.40
• 15.41
• 15.42
• 15.43
• 15.44
• 15.45
• 15.46
• 15.47
• 15.48
• 15.49
• 15.50
• 15.51
• 15.52
• 15.53
• 15.54
• 15.55
• 15.56
• 15.57
• 15.58
• 15.59
• 15.60
• 15.61
• 15.62
• 15.63
• 15.64
• 15.65
• 15.66
• 15.67
• 15.68
• 15.69
• 15.70
• 15.71

Website

• Product: https://github.com/frappe/frappe/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion