CVE-2025-65924 is a vulnerability identified in ERPNext versions through 15.88.1 that arises from improper sanitization of HTML content in fields expected to contain plain text, specifically within the 'Add Quality Goal' functionality. While the system blocks JavaScript to prevent cross-site scripting (XSS), it does not remove or sanitize <a> hyperlink tags embedded in user input. Consequently, when ERPNext generates PDF documents from these fields, the malicious hyperlinks remain active and clickable. Since ERP-generated PDFs are generally trusted by users, attackers can exploit this behavior to embed malicious links that may lead to phishing sites or malware downloads. The attack vector requires an authenticated user to input the malicious content and a recipient to interact with the PDF by clicking the link. The vulnerability impacts document integrity and user security by enabling social engineering attacks through trusted documents. The CVSS score is 4.1 (medium), reflecting the need for authentication and user interaction, no direct confidentiality or availability impact, and relatively low complexity to exploit once authenticated. No patches or known exploits are currently available, emphasizing the need for proactive mitigation. This issue is classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page).

For European organizations, this vulnerability poses a risk primarily to the integrity of business documents and the security of end users who rely on ERPNext-generated PDFs for operational decisions. Malicious links embedded in trusted PDFs can facilitate phishing campaigns or malware infections, potentially leading to credential theft, lateral movement within networks, or disruption of business processes. Industries with heavy ERPNext usage, such as manufacturing, supply chain management, and quality assurance, may face increased exposure. The requirement for authenticated access limits the attack surface to internal or trusted users, but insider threats or compromised accounts could exploit this vector. The social engineering aspect increases the likelihood of successful exploitation, especially in environments with less security awareness. While confidentiality and availability are not directly impacted, the reputational damage and operational disruptions from successful phishing or malware attacks could be significant. European data protection regulations (e.g., GDPR) may also impose compliance risks if such attacks lead to data breaches.

European organizations should implement the following specific mitigations: 1) Immediately audit and restrict access to the 'Add Quality Goal' function to trusted personnel only, minimizing the risk of malicious input. 2) Implement input validation and sanitization at the application level to strip or encode HTML tags, especially <a> tags, in fields intended for plain text before PDF generation. 3) Where possible, update ERPNext to versions beyond 15.88.1 once patches addressing this vulnerability are released. 4) Educate users to treat ERP-generated PDFs with caution and verify links before clicking, particularly those received from internal sources. 5) Employ PDF scanning tools that can detect and flag suspicious hyperlinks in generated documents. 6) Monitor logs for unusual activity related to the 'Add Quality Goal' function and PDF generation. 7) Consider deploying endpoint protection solutions capable of detecting phishing and malware payloads delivered via PDFs. 8) Engage with ERPNext vendors or community to track patch releases and vulnerability disclosures. These measures go beyond generic advice by focusing on access control, input sanitization, user education, and document inspection tailored to this vulnerability.