Skip to main content

Frappe EUVD-2026-25088

| CVE-2026-3837 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-22 Fluid Attacks
XSS Frappe
4.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:05 vuln.today
CVSS changed
Apr 22, 2026 - 21:22 NVD
4.6 (MEDIUM)
EUVD ID Assigned
Apr 22, 2026 - 20:31 euvd
EUVD-2026-25088
Analysis Generated
Apr 22, 2026 - 20:31 vuln.today
CVE Published
Apr 22, 2026 - 19:52 nvd
MEDIUM 4.6

DescriptionCVE.org

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping

This issue affects Frappe: 16.10.0.

AnalysisAI

Stored cross-site scripting (XSS) in Frappe 16.10.0 allows authenticated attackers with high privileges to inject malicious scripts into document fields, which execute in the browser of any user who subsequently opens the affected document in Desk. The vulnerability stems from unsafe HTML interpolation in multiple formatter implementations that fail to escape user-supplied values, enabling persistent client-side code execution with limited scope (low integrity/availability impact). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain high-privilege credentials or account
Delivery
Create or edit document field
Exploit
Inject unescaped XSS payload into vulnerable formatter field
Install
Persist malicious document in Frappe backend
C2
Victim opens document in Desk UI
Execute
Formatter renders unescaped HTML containing payload
Impact
JavaScript executes in victim's browser context
Step 8
Session hijacking or data exfiltration occurs
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must possess authenticated access with high privilege level (e.g., document creator or editor role) to persist malicious values into document fields. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate despite the low CVSS score, due to several mitigating and aggravating factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with document creation/editing privileges (e.g., a disgruntled employee or compromised user account) crafts a malicious payload in a field (e.g., a URL field, label, or custom HTML-rendered field) and saves the document. When a colleague or manager opens the same document in Desk to review or collaborate, the formatter renders the unescaped payload into the HTML page, triggering JavaScript execution in the victim's browser with the victim's session context and privileges. …
Remediation Apply the vendor-released patch immediately upon availability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-44208 MEDIUM
6.9 Jun 12

Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthe
CVE-2026-50026 MEDIUM
6.9 Jun 12

Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and
CVE-2026-44205 MEDIUM
6.9 Jun 12

Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browser
CVE-2026-47739 MEDIUM
6.9 Jun 12

Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious
CVE-2026-44206 MEDIUM
6.9 Jun 12

DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen

Share

EUVD-2026-25088 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy