CVE-2025-66436 is a Server-Side Template Injection vulnerability found in the get_terms_and_conditions method of Frappe ERPNext versions through 15.89.0. The vulnerability arises because the method renders user-controlled Jinja2 templates (the 'terms' field) using frappe.render_template() with a user-supplied context object (doc). Although Frappe employs a custom SandboxedEnvironment intended to restrict template execution, it still exposes several dangerous global functions, including frappe.db.sql, through the get_safe_globals() method. An attacker who is authenticated and has the ability to create or modify Terms and Conditions documents can inject arbitrary Jinja2 expressions into the terms field. This injection leads to server-side code execution within the template rendering process, allowing the attacker to execute arbitrary database queries and potentially leak sensitive information. The vulnerability does not require user interaction beyond authentication and has a low attack complexity, but it is limited to users with specific privileges. No known public exploits or patches are currently available, but the presence of dangerous globals in the sandboxed environment significantly increases the risk of exploitation. The vulnerability is classified under CWE-1336 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

For European organizations using Frappe ERPNext up to version 15.89.0, this vulnerability poses a risk of unauthorized disclosure of sensitive database information, which may include customer data, financial records, or intellectual property. Since ERPNext is an enterprise resource planning system widely used by SMEs and larger enterprises across Europe, exploitation could lead to data breaches, compliance violations (e.g., GDPR), and reputational damage. The ability to execute server-side code within the template engine, even in a restricted context, could be leveraged to escalate privileges or pivot within the network. Although the vulnerability requires authenticated access with specific permissions, insider threats or compromised credentials could facilitate exploitation. The medium CVSS score reflects limited impact on integrity and availability but highlights confidentiality concerns. Given the strategic importance of ERP systems in business operations, disruption or data leakage could have significant operational and financial consequences.

European organizations should implement the following specific mitigations: 1) Immediately audit and restrict permissions to Terms and Conditions document creation/modification to trusted administrators only. 2) Upgrade ERPNext to a version where this vulnerability is patched once available; monitor vendor advisories closely. 3) As a temporary measure, disable or restrict the use of custom Terms and Conditions templates if feasible. 4) Review and harden the Jinja2 sandbox environment by removing or restricting dangerous globals such as frappe.db.sql from the template execution context. 5) Implement strict input validation and sanitization on the terms field to prevent injection of malicious template expressions. 6) Monitor logs for unusual template rendering activity or database queries initiated via template execution. 7) Enforce multi-factor authentication and strong credential management to reduce risk of unauthorized authenticated access. 8) Conduct internal penetration testing focusing on template injection vectors within ERPNext. 9) Prepare incident response plans to quickly address potential exploitation. These targeted actions go beyond generic advice by focusing on the specific attack vector and environment.