CVE-2025-68927: Libredesk has Improper Neutralization of HTML Tags in a Web Page

December 16, 2025 (updated December 31, 2025)

LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks.

References

github.com/abhinavxd/libredesk
github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb
github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4
github.com/advisories/GHSA-wh6m-h6f4-rjf4
nvd.nist.gov/vuln/detail/CVE-2025-68927

Code Behaviors & Features

Detect and mitigate CVE-2025-68927 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →