← Volver a CVEs
CVE-2025-65924
MEDIUM4.1
Descripcion
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function.
Detalles CVE
Puntuacion CVSS v3.14.1
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioREQUIRED
Publicado2/3/2026
Ultima modificacion2/17/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
frappe:erpnext
Debilidades (CWE)
CWE-80
Referencias
https://github.com/frappe/frappe_docker.git(cve@mitre.org)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.