Frappe EUVD-2026-25088

| CVE-2026-3837 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-22 Fluid Attacks
XSS
4.6
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 23, 2026 - 07:05 vuln.today
CVSS changed
Apr 22, 2026 - 21:22 NVD
4.6 (MEDIUM)

DescriptionNVD

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping

This issue affects Frappe: 16.10.0.

AnalysisAI

Stored cross-site scripting (XSS) in Frappe 16.10.0 allows authenticated attackers with high privileges to inject malicious scripts into document fields, which execute in the browser of any user who subsequently opens the affected document in Desk. The vulnerability stems from unsafe HTML interpolation in multiple formatter implementations that fail to escape user-supplied values, enabling persistent client-side code execution with limited scope (low integrity/availability impact). …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-25088 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy