VYPR
Unrated severityOSV Advisory· Published Feb 3, 2026· Updated Feb 4, 2026

CVE-2025-65923

CVE-2025-65923

Description

A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the affected record is viewed by a user within the ERPNext web interface. This exposure may allow an attacker to compromise user sessions or perform unauthorized actions under the context of a victim's account.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Frappe/ErpnextOSV2 versions
    4.0.0, 4.0.0-beta1, v10.0.0, …+ 1 more
    • (no CPE)range: 4.0.0, 4.0.0-beta1, v10.0.0, …
    • (no CPE)range: <=15.88.1

Patches

Vulnerability mechanics

News mentions

0

No linked articles in our index yet.