Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only.
AnalysisAI
Reflected cross-site scripting (XSS) in Frappe Press login page redirect parameter allows unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser upon clicking a malicious link, with user interaction required. The vulnerability affects all versions prior to the patch commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6, which restricts redirects to internal URLs only. CVSS score of 1.3 reflects very low confidentiality, integrity, and availability impact due to scope limitations, though XSS vulnerabilities carry inherent session hijacking and credential theft risks.
Technical ContextAI
Frappe Press is a custom application built on the Frappe framework that manages Frappe Cloud infrastructure, subscriptions, marketplace, and SaaS operations. The vulnerability exists in the login page's redirect parameter, a common pattern where applications accept a URL parameter to redirect users after authentication. The application fails to validate or sanitize this parameter before rendering it in the HTTP response, allowing an attacker to inject arbitrary HTML and JavaScript. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where user-controlled input flows directly into output without encoding or validation. The fix implemented in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 restricts redirect targets to internal URLs only, likely by implementing an allowlist or URL scheme validation.
RemediationAI
Organizations using Frappe Press must apply the security patch by upgrading to a version that includes commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 or later. The patch restricts the redirect parameter to internal URLs only, preventing JavaScript injection via external URL targets. Users should immediately verify their Frappe Press deployment version and apply the latest available release; refer to the GitHub Security Advisory at https://github.com/frappe/press/security/advisories/GHSA-mpww-rq79-8r2c for specific version guidance and deployment instructions. As a temporary compensating control pending patching, organizations can implement network-level filtering to block external redirect attempts by monitoring login URLs containing suspicious redirect parameters, though this is fragile and should not substitute for patching. Additionally, security teams should audit logs for evidence of XSS parameter injection attempts, which may indicate reconnaissance or actual exploitation attempts. No workaround avoids the underlying code flaw; patching is mandatory.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25391