216.73.216.133

CVE-2025-65924

· Published 03/02/2026 18:16 · Modified 04/02/2026 17:16

Labels: CVE-2025-65924 2026-02-03CVE-2025-65924CWE-80[email protected]

Essential information

Published
03/02/2026 18:16
Modified
04/02/2026 17:16
Author
Creator
CVSS
6.1 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS metrics

Description

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
erpnext / erpnext cpe:2.3:a:erpnext:erpnext:<15.88.1:*:*:*:*:*:*:*

References