Unrated severityOSV Advisory· Published Feb 3, 2026· Updated Feb 17, 2026
CVE-2025-65924
CVE-2025-65924
Description
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
News mentions
0No linked articles in our index yet.