ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
References
| Link | Providers |
|---|---|
| https://github.com/frappe/frappe_docker.git |
|
History
Tue, 03 Feb 2026 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function. | |
| References |
|
MITRE
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-02-03T17:40:13.101Z
Reserved: 2025-11-18T00:00:00.000Z
Link: CVE-2025-65924
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-02-03T18:16:15.810
Modified: 2026-02-03T18:16:15.810
Link: CVE-2025-65924
Redhat
No data.
OpenCVE Enrichment
No data.