Stored HTML Injection Vulnerability in LibreDesk Customer Support Desk
CVE-2025-68927

7.3HIGH

Key Information:

Vendor: Abhinavxd
Status: Libredesk
Vendor: CVE Published:; 27 December 2025

What is CVE-2025-68927?

LibreDesk, a self-hosted customer support desk application, is susceptible to a stored HTML injection vulnerability in its contact notes feature. An attacker can exploit this vulnerability during the note submission process, where user input is improperly sanitized. By intercepting the API request to add contact notes and modifying it to remove the automatically added HTML paragraph tags, an attacker can inject malicious HTML elements. This can enable various attacks, such as phishing and CSRF-style actions, leading to potential unauthorized access or manipulation of the user interface. Users are advised to update to version 0.8.6-beta, where the vulnerability has been addressed.

Affected Version(s)

libredesk < 0.8.6-beta

References

https://github.com/abhinavxd/libredesk/security/advisorie...

x_refsource_CONFIRM

https://github.com/abhinavxd/libredesk/commit/27034784994...

x_refsource_MISC

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 27, 2025
Vulnerability Reserved
Dec 24, 2025

JSON

Abhinavxd

What is CVE-2025-68927?

Affected Version(s)

References

CVSS V4

Timeline