CVE-2025-65923

A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the affected record is viewed by a user within the ERPNext web interface. This exposure may allow an attacker to compromise user sessions or perform unauthorized actions under the context of a victim's account.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/frappe/frappe_docker.git	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-03 18:16

Updated : 2026-02-11 16:50

NVD link : CVE-2025-65923

Mitre link : CVE-2025-65923

CVE.ORG link : CVE-2025-65923

JSON object : View

Products Affected

frappe

erpnext

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-65923", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-02-03T18:16:15.700", "references": [{"url": "https://github.com/frappe/frappe_docker.git", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the affected record is viewed by a user within the ERPNext web interface. This exposure may allow an attacker to compromise user sessions or perform unauthorized actions under the context of a victim's account."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting almacenado (XSS) fue descubierta dentro del mecanismo de importaci\u00f3n de CSV de ERPNext hasta la versi\u00f3n 15.88.1 al usar la opci\u00f3n 'Actualizar Registros Existentes'. Un atacante puede incrustar c\u00f3digo JavaScript malicioso en un campo CSV, el cual es luego almacenado en la base de datos y ejecutado cada vez que el registro afectado es visto por un usuario dentro de la interfaz web de ERPNext. Esta exposici\u00f3n puede permitir a un atacante comprometer sesiones de usuario o realizar acciones no autorizadas bajo el contexto de la cuenta de una v\u00edctima."}], "lastModified": "2026-02-11T16:50:44.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53978828-7605-4FFD-8D13-941F553B52FE", "versionEndIncluding": "15.88.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}