CVE-2025-65924

Name of the Vulnerable Software and Affected Versions ERPNext versions through 15.88.1

Description The software does not properly remove certain HTML tags, specifically <a> hyperlinks, in fields designed for plain text input. While JavaScript execution is blocked, the HTML is retained within generated PDF documents. This allows an attacker to inject malicious, clickable links into ERP-generated PDFs. Because PDFs from the ERP system are generally considered trustworthy, users are likely to click these links, potentially leading to phishing attacks or malware delivery. The issue is present in the Add Quality Goal function.

Recommendations Versions prior to 15.88.1 should be updated.