CVE-2025-68927

Name of the Vulnerable Software and Affected Versions Libredesk versions prior to 0.8.6-beta

Description Libredesk is a self-hosted customer support desk application. A stored HTML injection issue exists in the contact notes feature. When adding notes through the POST /api/v1/contacts/{id}/notes endpoint, user input is wrapped in

tags by the backend. Removing the

tag allows an attacker to inject arbitrary HTML elements, such as forms and images, which are then stored and displayed without proper sanitization. This can potentially lead to phishing, Cross-Site Request Forgery (CSRF)-style forced actions, and UI redress attacks. The vulnerable parameter is the contact note content submitted via the POST /api/v1/contacts/{id}/notes API endpoint.

Recommendations Update to version 0.8.6-beta or later.