ERPNext HTML Injection Vulnerability in PDF Generation

Vulnerability

A vulnerability exists in ERPNext versions through 15.88.1, allowing the injection of unfiltered HTML, specifically hyperlinks, into fields meant for plain text. While JavaScript execution is blocked, preventing cross-site scripting, the injected HTML is retained in PDFs generated by the ERP system. This flaw can be exploited to insert malicious clickable links into these PDFs. Given that ERP-generated PDF documents are typically regarded as reliable, there is a significant risk that users will click on these links, potentially leading to phishing attacks or the distribution of malware. This vulnerability is present in the 'Add Quality Goal' function.

Impact

Exploitation of this vulnerability allows for the injection of malicious links into ERPNext-generated PDF documents, creating a risk of phishing or malware delivery.

Added: Feb 3, 2026, 6:43 PM

Updated: Feb 3, 2026, 6:43 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

0.2

exploitability

5.1

remediation

0.0

relevance

2.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

0.2

exploitability

5.1

remediation

0.0

relevance

2.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ERPNext HTML Injection Vulnerability in PDF Generation

Vulnerability

Impact

Affected Products

ERPNext

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating