CVE-2025-68927 HIGH

CVE-2025-68927: Improper Neutralization of HTML Tags in a Web Page in libredesk

Vendor Abhinavxd
Product libredesk
Weakness CWE-79 · XSS
Published December 27, 2025
Last update December 29, 2025
View on NVD All CVEs

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta.

Key dates

02Disclosure timeline

December 27, 2025 CVE published
December 29, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-47972 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2024-11829 The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2020-25706 CVE-2024-24928 WordPress Content Cards Plugin <= 0.9.7 is vulnerable to Cross Site Scripting (XSS) CVE-2024-52830 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)