CVE-2025-65924

MEDIUM

ERPNext <15.88.1 - XSS

Title source: llm

Description

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function.

Exploits (1)

github WRITEUP

by 09OHs · poc

https://github.com/09OHs/CVE/tree/main/CVE-2025-65924

View Code ZIP pw:eip

References (1)

[Product] https://github.com/frappe/frappe_docker.git

Scores

CVSS v3 4.1

EPSS 0.0001

EPSS Percentile 2.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

Details

CWE

CWE-80

Status published

Products (1)

frappe/erpnext < 15.88.1

Published Feb 03, 2026

Tracked Since Feb 18, 2026