Skip to main content

Frappe Press CVE-2026-41430

| EUVDEUVD-2026-25391 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-24 GitHub_M
1.3
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

7
Patch released
Apr 30, 2026 - 14:51 nvd
Patch available
Patch available
Apr 24, 2026 - 05:31 EUVD
Analysis Generated
Apr 24, 2026 - 04:31 vuln.today
CVSS changed
Apr 24, 2026 - 04:22 NVD
1.3 (LOW)
EUVD ID Assigned
Apr 24, 2026 - 04:00 euvd
EUVD-2026-25391
Analysis Generated
Apr 24, 2026 - 04:00 vuln.today
CVE Published
Apr 24, 2026 - 02:42 nvd
LOW 1.3

DescriptionGitHub Advisory

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only.

AnalysisAI

Reflected cross-site scripting (XSS) in Frappe Press login page redirect parameter allows unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser upon clicking a malicious link, with user interaction required. The vulnerability affects all versions prior to the patch commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6, which restricts redirects to internal URLs only. CVSS score of 1.3 reflects very low confidentiality, integrity, and availability impact due to scope limitations, though XSS vulnerabilities carry inherent session hijacking and credential theft risks.

Technical ContextAI

Frappe Press is a custom application built on the Frappe framework that manages Frappe Cloud infrastructure, subscriptions, marketplace, and SaaS operations. The vulnerability exists in the login page's redirect parameter, a common pattern where applications accept a URL parameter to redirect users after authentication. The application fails to validate or sanitize this parameter before rendering it in the HTTP response, allowing an attacker to inject arbitrary HTML and JavaScript. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where user-controlled input flows directly into output without encoding or validation. The fix implemented in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 restricts redirect targets to internal URLs only, likely by implementing an allowlist or URL scheme validation.

RemediationAI

Organizations using Frappe Press must apply the security patch by upgrading to a version that includes commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 or later. The patch restricts the redirect parameter to internal URLs only, preventing JavaScript injection via external URL targets. Users should immediately verify their Frappe Press deployment version and apply the latest available release; refer to the GitHub Security Advisory at https://github.com/frappe/press/security/advisories/GHSA-mpww-rq79-8r2c for specific version guidance and deployment instructions. As a temporary compensating control pending patching, organizations can implement network-level filtering to block external redirect attempts by monitoring login URLs containing suspicious redirect parameters, though this is fragile and should not substitute for patching. Additionally, security teams should audit logs for evidence of XSS parameter injection attempts, which may indicate reconnaissance or actual exploitation attempts. No workaround avoids the underlying code flaw; patching is mandatory.

Share

CVE-2026-41430 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy