Frappe EUVD-2026-25071

| CVE-2026-3673 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-22 Fluid Attacks GHSA-qg6x-fw6m-9qrp
XSS Frappe
4.6
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 23, 2026 - 07:05 vuln.today
CVSS changed
Apr 22, 2026 - 20:22 NVD
4.6 (MEDIUM)

DescriptionNVD

An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping. This issue affects Frappe: 16.10.10.

AnalysisAI

Stored cross-site scripting (XSS) in Frappe 16.10.10 allows authenticated attackers with high privileges to inject malicious JavaScript via crafted tag values in the _user_tags field, which execute when victims open list or report views. The vulnerability stems from unescaped interpolation of tag content into HTML attributes and element content. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-25071 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy