CVE-2025-68927 is a stored cross-site scripting vulnerability affecting LibreDesk, a self-hosted customer support desk software. The vulnerability arises in the contact notes feature where user input submitted via the POST /api/v1/contacts/{id}/notes endpoint is automatically wrapped in <p> tags by the backend. However, attackers can intercept and modify the request to remove these <p> tags, enabling injection of arbitrary HTML elements such as forms, images, or scripts. Because the input is stored and later rendered without proper sanitization or encoding, malicious payloads persist and execute in the context of users viewing the notes. This can facilitate phishing attacks by displaying deceptive forms, CSRF-style forced actions by tricking users into submitting unintended requests, and UI redress attacks that manipulate the user interface to mislead users. The vulnerability does not require authentication to exploit but does require user interaction to trigger the payload. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality and integrity. The vulnerability was publicly disclosed on December 27, 2025, and patched in LibreDesk version 0.8.6-beta. No known exploits have been reported in the wild as of now.

For European organizations using LibreDesk versions prior to 0.8.6-beta, this vulnerability poses significant risks. As LibreDesk is used for customer support, exploitation could lead to compromise of sensitive customer data confidentiality and integrity through phishing or forced actions. Attackers could manipulate support agents or customers into performing unintended operations, potentially leading to data leakage, unauthorized changes, or reputational damage. The stored nature of the XSS means malicious payloads persist and can affect multiple users over time. This is particularly impactful for organizations handling sensitive or regulated customer information under GDPR, where data breaches can result in heavy fines and legal consequences. Additionally, the ability to conduct CSRF-style attacks could allow attackers to escalate their impact beyond just UI manipulation. The lack of required authentication lowers the barrier for attackers, increasing the threat surface. Although no exploits are currently known in the wild, the high CVSS score and ease of exploitation warrant immediate attention.

European organizations should immediately upgrade LibreDesk to version 0.8.6-beta or later to apply the official patch that properly sanitizes and encodes user input in contact notes. Until upgrading is possible, organizations should implement strict input validation and output encoding on the contact notes feature to prevent HTML injection. Web application firewalls (WAFs) can be configured to detect and block suspicious payloads targeting the notes endpoint. Monitoring and alerting on unusual POST requests to /api/v1/contacts/{id}/notes can help detect exploitation attempts. User education for support staff to recognize phishing and UI redress attacks is also critical. Additionally, organizations should review access controls and audit logs for any suspicious activity related to contact notes. Regular security assessments and penetration testing focused on the customer support platform will help identify residual risks. Finally, organizations should ensure incident response plans include scenarios involving XSS exploitation in customer-facing applications.