CVE-2025-65924 is a vulnerability identified in ERPNext versions through 15.88.1, specifically affecting the 'Add Quality Goal' function. The core issue is that the application does not properly sanitize or remove certain HTML tags, notably <a> hyperlink tags, in fields that are intended to contain only plain text. Although the system blocks JavaScript execution, preventing traditional cross-site scripting (XSS) attacks, the HTML anchor tags remain embedded in the generated PDF documents. Since these PDFs are produced by the ERP system and are generally considered trustworthy by users, the presence of malicious clickable links can be exploited by attackers to conduct phishing attacks or deliver malware. The attacker can inject these malicious links by submitting crafted input into the vulnerable field, which then appears in the PDF output without adequate filtering. This vulnerability leverages the trust users place in ERP-generated documents, increasing the likelihood of successful social engineering attacks. No official CVSS score has been assigned yet, and there are no known exploits in the wild. The vulnerability highlights a gap in input validation and output sanitization in ERPNext’s PDF generation process, particularly in quality management modules. Organizations using ERPNext for quality goals and reporting should be aware of this threat vector and the potential for malicious link injection in trusted documents.

For European organizations, the impact of CVE-2025-65924 can be significant, especially those in manufacturing, quality assurance, and supply chain sectors that rely heavily on ERPNext for managing quality goals and generating official documentation. The injection of malicious links into trusted PDF reports can lead to successful phishing campaigns, resulting in credential theft, unauthorized access, or malware infections. This could compromise sensitive business data, disrupt operations, and cause reputational damage. Since ERP-generated PDFs are often shared internally and externally, the attack surface extends beyond the immediate organization to partners and clients, increasing the risk of supply chain attacks. The trust placed in ERP documents means users may be less vigilant, raising the likelihood of exploitation. Additionally, regulatory compliance risks arise if malicious activity leads to data breaches under GDPR. The lack of known exploits currently limits immediate widespread impact, but the vulnerability’s presence in a widely used open-source ERP platform means that targeted attacks could emerge, particularly against high-value European industrial and commercial entities.

To mitigate CVE-2025-65924, organizations should implement the following specific measures: 1) Apply patches or updates from ERPNext as soon as they become available that address HTML sanitization in PDF generation. 2) In the interim, customize or extend ERPNext’s PDF generation logic to sanitize or strip all HTML tags, especially <a> tags, from fields intended for plain text before rendering PDFs. 3) Implement input validation controls to reject or escape HTML content in user inputs for quality goal fields. 4) Educate users to treat ERP-generated PDFs with caution, verifying links before clicking, especially if unexpected. 5) Use PDF security features such as disabling clickable links or warning users when links are present in generated documents. 6) Monitor logs and user reports for suspicious activity related to PDF documents. 7) Restrict permissions for users who can add or modify quality goals to reduce the risk of malicious input. 8) Consider deploying endpoint protection solutions capable of detecting phishing or malware attempts originating from malicious links. These targeted actions go beyond generic advice by focusing on the specific vulnerability vector and the ERPNext environment.