Strix
26.1K

CVE-2025-65924

MEDIUMCVSS 4.1/10EPSS 0.23%

Last modified

CVE-2025-65924 is a medium-severity vulnerability rated 4.1/10 on the CVSS scale. ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. EPSS estimates a 0.23% chance of exploitation in the next 30 days.

Description

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function.

Metrics

CVSS 3.1
4.1/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

EPSS Probability
0.23%

13.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
FrappeErpnext<= 15.88.1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2025-65924?
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function.
How severe is CVE-2025-65924?
CVE-2025-65924 has a CVSS score of 4.1/10 (MEDIUM severity). The EPSS model estimates a 0.23% probability of exploitation in the next 30 days.
How do I fix CVE-2025-65924?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-65924?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST