CVE-2025-65924

Medium CVSS: 4.1

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function.

Vendor

Frappe

Product

Erpnext

CWE

CWE-80

Yayın Tarihi

2026-02-03 18:16:15

Güncelleme

2026-02-17 17:21:04

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-80 Erpnext MEDIUM Frappe 2026

Referanslar

https://github.com/frappe/frappe_docker.git

Benzer Kayıtlar

High

CVE-2026-32954

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpo…

Critical

CVE-2026-31877

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a ce…

Medium

CVE-2026-31878

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a…

Medium

CVE-2026-31879

Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation…

Medium

CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted…

High

CVE-2026-29077

Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation wh…