CVE-2025-65923 – A stored XSS vulnerability in ERPNext's CSV imp... (How to Fix)

Q: What is the severity of CVE-2025-65923?

CVE-2025-65923 has a CVSS score of 5.4 (MEDIUM). A stored XSS vulnerability in ERPNext's CSV import feature allows attackers to inject malicious JavaScript into database records. When users view affected records in the web interface, the script executes in their browser context, potentially compromising sessions or performing unauthorized actions. This affects all ERPNext users up to version 15.88.1 who use the CSV import with 'Update Existing Records'.

📋 TL;DR

A stored XSS vulnerability in ERPNext's CSV import feature allows attackers to inject malicious JavaScript into database records. When users view affected records in the web interface, the script executes in their browser context, potentially compromising sessions or performing unauthorized actions. This affects all ERPNext users up to version 15.88.1 who use the CSV import with 'Update Existing Records'.

💻 Affected Systems

Products:

ERPNext

Versions: thru 15.88.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires CSV import functionality with 'Update Existing Records' option enabled.

📦 What is this software?

Erpnext by Frappe

View all CVEs affecting Erpnext →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full administrative access to ERPNext, steals sensitive business data, modifies financial records, or deploys ransomware through compromised user sessions.

🟠

Likely Case

Attacker hijacks user sessions to access confidential information, modify data, or perform unauthorized transactions within the ERP system.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution, limiting impact to data integrity issues.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to CSV import functionality, which typically requires authenticated user privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.88.2 or later

Vendor Advisory: https://github.com/frappe/frappe_docker.git

Restart Required: Yes

Instructions:

1. Update ERPNext to version 15.88.2 or later. 2. Restart the ERPNext service. 3. Verify the fix by testing CSV import functionality.

🔧 Temporary Workarounds

Disable CSV Import

all

Temporarily disable CSV import functionality until patching is complete.

Modify ERPNext configuration to remove CSV import permissions from user roles

Input Validation Filter

all

Implement server-side input validation to sanitize CSV data before processing.

Add custom validation hooks in ERPNext to strip script tags and JavaScript from CSV fields

🧯 If You Can't Patch

Restrict CSV import permissions to trusted administrators only
Implement web application firewall (WAF) rules to block XSS payloads in CSV uploads

🔍 How to Verify

Check if Vulnerable:

Test CSV import with malicious script payloads in fields and check if they execute when viewing records.

Check Version:

bench version

Verify Fix Applied:

After patching, attempt the same XSS payload in CSV import and verify scripts are not executed.

📡 Detection & Monitoring

Log Indicators:

Unusual CSV import activity from non-admin users
Large CSV files with script-like content in field data

Network Indicators:

CSV uploads containing JavaScript patterns or encoded payloads

SIEM Query:

source="erpnext" AND ("CSV import" OR "upload") AND ("script" OR "javascript" OR "onerror" OR "onload")

📊 Metadata

CVE ID: CVE-2025-65923

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8th percentile)

Published: February 3, 2026

Last Updated: February 11, 2026

🔗 References

https://github.com/frappe/frappe_docker.git Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65923, you might also want to check these: