Home > Vulnerability Database > CVE-2025-68927

Mend.io Vulnerability Database

CVE-2025-68927

Good to know:

Date: December 26, 2025

Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta.

Severity Score

6.1

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-68927

Url: https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb

Url: https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4

Url: https://github.com/abhinavxd/libredesk

Url: https://www.mend.io/vulnerability-database/CVE-2025-68927

Severity Score

6.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version github.com/abhinavxd/libredesk - v0.8.6-beta;https://github.com/abhinavxd/libredesk.git - v0.8.6-beta

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-68927

Good to know:

Date: December 26, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?