CVE-2025-65924

EIP tracks 1 public exploit for CVE-2025-65924. PoCs published by 09OHs.

AI-analyzed exploit summary The repository contains a technical description of CVE-2025-65922, an information disclosure vulnerability in Planka v2.0.0-rc.4 and below due to missing X-Frame-Options and CSP frame-ancestors headers, allowing UI redressing attacks. The other CVEs (CVE-2025-65923 and CVE-2025-65924) are marked as 'Waiting to public' with no additional details.

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function.