CVE-2025-65923 is a stored Cross-Site Scripting (XSS) vulnerability identified in the CSV import mechanism of ERPNext, a widely used open-source enterprise resource planning (ERP) system. The vulnerability specifically arises when the 'Update Existing Records' option is used during CSV imports. An attacker can craft a CSV file containing malicious JavaScript code embedded within one or more fields. When this CSV is imported, the malicious script is stored persistently in the ERPNext database. Subsequently, whenever a user accesses the affected record through the ERPNext web interface, the embedded script executes in the context of the user's browser session. This execution can lead to session hijacking, enabling the attacker to impersonate the user, steal sensitive information, or perform unauthorized actions such as modifying data or escalating privileges within the ERP system. The vulnerability does not require the attacker to have prior authentication to inject the payload, but the victim must view the compromised record for the exploit to trigger. No CVSS score has been assigned yet, and no known public exploits have been reported. The lack of a patch or mitigation details in the provided information suggests that organizations should proactively implement input validation and restrict CSV import permissions to trusted users. Given ERPNext's role in managing critical business functions like inventory, finance, and human resources, exploitation could have significant operational and data confidentiality impacts.

For European organizations, this vulnerability poses a substantial risk due to ERPNext's use in managing sensitive business operations. Successful exploitation could lead to unauthorized access to confidential corporate data, manipulation of financial records, or disruption of business processes. The ability to hijack user sessions or perform actions under a victim's account increases the risk of insider-like attacks without direct insider involvement. This could result in data breaches, regulatory non-compliance (e.g., GDPR violations), financial losses, and reputational damage. Organizations relying heavily on CSV imports for bulk updates are particularly vulnerable. Additionally, sectors such as manufacturing, logistics, and public administration that depend on ERPNext for critical workflows may face operational disruptions. The absence of known exploits in the wild provides a window for mitigation, but the potential impact remains high if exploited.

1. Immediately restrict CSV import functionality to trusted, authenticated users with a clear need to perform bulk updates. 2. Implement strict input validation and sanitization on all CSV fields before importing data into ERPNext, ensuring that scripts or HTML tags are neutralized or rejected. 3. Monitor ERPNext logs for unusual import activities or unexpected changes in records that could indicate exploitation attempts. 4. Educate users to be cautious when viewing records recently updated via CSV imports, especially if imported by less trusted sources. 5. Apply ERPNext updates and patches promptly once the vendor releases a fix addressing this vulnerability. 6. Consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting ERPNext interfaces. 7. Conduct regular security assessments and penetration tests focusing on import functionalities and user privilege configurations. 8. Enforce the principle of least privilege for ERPNext users to limit the impact of compromised accounts.