CVE-2025-65924

EPSS 0.23%
Veröffentlicht 03.02.2026 00:00:00
Zuletzt bearbeitet 17.02.2026 17:21:04
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Frappe ≫ Erpnext Version <= 15.88.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.131

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	4.1	2.3	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

https://github.com/frappe/frappe_docker.git

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-65924

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-65924

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-65924

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-65924