{"id":"CVE-2025-52048","details":"In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the `dt` parameter.","aliases":["GHSA-mggw-6xqj-rphj"],"modified":"2026-04-10T05:30:31.128469Z","published":"2025-09-15T16:15:39.060Z","references":[{"type":"ADVISORY","url":"https://github.com/frappe/frappe/security/advisories/GHSA-mggw-6xqj-rphj"},{"type":"EVIDENCE","url":"https://github.com/Vietsunshine-Electronic-Solution-JSC/Vulnerability-Disclosures/blob/main/2025/Frappe%20Framework%20-%20Multiple%20SQL%20Injection.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/frappe/frappe","events":[{"introduced":"5ff15f3026b849c854c988d4b0f01d894b4e6be9"},{"fixed":"cb97a3f13964ad9cbd995a42877ae3e6526337d8"},{"introduced":"b8c1f492c492f7cbbfd3cc768234fbb244fd3737"},{"fixed":"96aaf56d88c60b3589fba4b2c91d5d9a67627b47"}],"database_specific":{"versions":[{"introduced":"14.0.0"},{"fixed":"14.96.10"},{"introduced":"15.0.0"},{"fixed":"15.72.0"}]}}],"versions":["v14.0.0","v14.0.1","v14.0.2","v14.1.0","v14.10.0","v14.11.0","v14.11.1","v14.12.0","v14.13.0","v14.14.0","v14.14.1","v14.14.2","v14.14.3","v14.15.0","v14.16.0","v14.17.0","v14.17.1","v14.18.0","v14.18.1","v14.19.0","v14.19.1","v14.2.0","v14.20.0","v14.21.0","v14.21.1","v14.22.0","v14.22.1","v14.23.0","v14.24.0","v14.25.0","v14.25.1","v14.25.2","v14.25.3","v14.25.4","v14.26.0","v14.26.1","v14.26.2","v14.26.3","v14.26.4","v14.27.0","v14.28.0","v14.28.1","v14.28.2","v14.29.0","v14.29.1","v14.29.2","v14.3.0","v14.30.0","v14.31.0","v14.32.0","v14.32.1","v14.33.0","v14.33.1","v14.34.0","v14.35.0","v14.36.0","v14.36.1","v14.36.2","v14.36.3","v14.37.0","v14.37.1","v14.38.0","v14.38.1","v14.38.2","v14.38.3","v14.39.0","v14.4.0","v14.4.1","v14.4.2","v14.4.3","v14.40.0","v14.40.1","v14.40.2","v14.40.3","v14.41.0","v14.42.0","v14.43.0","v14.43.1","v14.44.0","v14.45.0","v14.46.0","v14.47.0","v14.47.1","v14.47.2","v14.48.0","v14.48.1","v14.49.0","v14.5.0","v14.50.0","v14.51.0","v14.52.0","v14.52.1","v14.52.2","v14.53.0","v14.53.1","v14.53.2","v14.54.0","v14.54.1","v14.55.0","v14.55.1","v14.56.0","v14.56.1","v14.57.0","v14.58.0","v14.59.0","v14.6.0","v14.60.0","v14.61.0","v14.62.0","v14.62.1","v14.62.2","v14.62.3","v14.62.4","v14.63.0","v14.64.0","v14.65.0","v14.66.0","v14.66.1","v14.66.2","v14.66.3","v14.67.0","v14.67.1","v14.68.0","v14.68.1","v14.68.2","v14.69.0","v14.7.0","v14.70.0","v14.71.0","v14.72.0","v14.73.0","v14.74.0","v14.74.1","v14.75.0","v14.76.0","v14.76.1","v14.76.2","v14.77.0","v14.77.1","v14.77.2","v14.77.3","v14.77.4","v14.77.5","v14.77.6","v14.77.7","v14.78.0","v14.78.1","v14.78.2","v14.79.0","v14.79.1","v14.8.0","v14.80.0","v14.80.1","v14.81.0","v14.81.1","v14.81.2","v14.81.3","v14.81.4","v14.81.5","v14.81.6","v14.82.0","v14.82.1","v14.82.2","v14.83.0","v14.84.0","v14.85.0","v14.85.1","v14.85.2","v14.86.0","v14.87.0","v14.88.0","v14.88.1","v14.89.0","v14.89.1","v14.9.0","v14.90.0","v14.91.0","v14.92.0","v14.93.0","v14.93.1","v14.93.2","v14.93.3","v14.94.0","v14.94.1","v14.94.2","v14.94.3","v14.95.0","v14.95.1","v14.95.2","v14.95.3","v14.96.0","v14.96.1","v14.96.2","v14.96.3","v14.96.4","v14.96.5","v14.96.6","v14.96.7","v14.96.8","v14.96.9","v15.0.0","v15.0.1","v15.0.2","v15.1.0","v15.10.0","v15.11.0","v15.12.0","v15.13.0","v15.14.0","v15.14.1","v15.15.0","v15.16.0","v15.16.1","v15.17.0","v15.17.1","v15.17.2","v15.17.3","v15.18.0","v15.18.1","v15.18.2","v15.19.0","v15.19.1","v15.2.0","v15.2.1","v15.20.0","v15.21.0","v15.22.0","v15.23.0","v15.24.0","v15.24.1","v15.25.0","v15.26.0","v15.27.0","v15.28.0","v15.29.0","v15.29.1","v15.29.2","v15.3.0","v15.30.0","v15.31.0","v15.32.0","v15.33.0","v15.33.1","v15.33.2","v15.33.3","v15.34.0","v15.34.1","v15.35.0","v15.36.0","v15.36.1","v15.37.0","v15.38.0","v15.39.0","v15.39.1","v15.39.2","v15.4.0","v15.4.1","v15.40.0","v15.40.1","v15.40.2","v15.40.3","v15.40.4","v15.40.5","v15.40.6","v15.41.0","v15.42.0","v15.43.0","v15.44.0","v15.44.1","v15.44.2","v15.45.0","v15.45.1","v15.46.0","v15.47.0","v15.47.1","v15.47.2","v15.48.0","v15.48.1","v15.49.0","v15.49.1","v15.5.0","v15.50.0","v15.50.1","v15.51.0","v15.51.1","v15.51.2","v15.52.0","v15.53.0","v15.54.0","v15.54.1","v15.55.0","v15.55.1","v15.55.2","v15.56.0","v15.56.1","v15.57.0","v15.57.1","v15.57.2","v15.58.0","v15.58.1","v15.59.0","v15.6.0","v15.6.1","v15.60.0","v15.61.0","v15.62.0","v15.63.0","v15.63.1","v15.64.0","v15.65.0","v15.65.1","v15.65.2","v15.66.0","v15.66.1","v15.67.0","v15.68.0","v15.68.1","v15.69.0","v15.69.1","v15.69.2","v15.69.3","v15.7.0","v15.70.0","v15.71.0","v15.8.0","v15.8.1","v15.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52048.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}