CVE-2025-65924

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/frappe/frappe_docker.git	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-03 18:16

Updated : 2026-02-17 17:21

NVD link : CVE-2025-65924

Mitre link : CVE-2025-65924

CVE.ORG link : CVE-2025-65924

JSON object : View

Products Affected

frappe

erpnext

CWE

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

{"id": "CVE-2025-65924", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.3}]}, "published": "2026-02-03T18:16:15.810", "references": [{"url": "https://github.com/frappe/frappe_docker.git", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-80"}]}], "descriptions": [{"lang": "en", "value": "ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function."}, {"lang": "es", "value": "ERPNext hasta la versi\u00f3n 15.88.1 no sanea ni elimina ciertas etiquetas HTML, espec\u00edficamente hiperv\u00ednculos '<a rel=\"nofollow\">', en campos destinados a texto sin formato. Aunque JavaScript est\u00e1 bloqueado (lo que previene XSS), el HTML a\u00fan se conserva en el documento PDF generado. Como resultado, un atacante puede inyectar enlaces maliciosos en los que se puede hacer clic en un PDF generado por el ERP. Dado que los archivos PDF generados por el sistema ERP generalmente se consideran confiables, es muy probable que los usuarios hagan clic en estos enlaces, lo que podr\u00eda facilitar ataques de phishing o la entrega de malware. Este problema ocurre en la funci\u00f3n 'Add Quality Goal'.</a>"}], "lastModified": "2026-02-17T17:21:04.173", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53978828-7605-4FFD-8D13-941F553B52FE", "versionEndIncluding": "15.88.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}