CVE-2025-65923

Name of the Vulnerable Software and Affected Versions ERPNext versions through 15.88.1

Description A Stored Cross-Site Scripting (XSS) issue exists in the CSV import mechanism when the Update Existing Records option is used. An attacker can inject malicious JavaScript code into a CSV field. This code is stored in the database and executed when a user views the affected record in the ERPNext web interface. This could allow an attacker to compromise user sessions or perform unauthorized actions. The vulnerability impacts the application's handling of data imported through CSV files, specifically during the update process.

Recommendations Versions prior to 15.88.1 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.