Skip to main content

Press

2 CVEs product

Monthly

CVE-2026-41430 LOW PATCH Monitor

Reflected cross-site scripting (XSS) in Frappe Press login page redirect parameter allows unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser upon clicking a malicious link, with user interaction required. The vulnerability affects all versions prior to the patch commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6, which restricts redirects to internal URLs only. CVSS score of 1.3 reflects very low confidentiality, integrity, and availability impact due to scope limitations, though XSS vulnerabilities carry inherent session hijacking and credential theft risks.

XSS Press
NVD GitHub
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-41317 MEDIUM PATCH This Month

Frappe Press `create_api_secret` endpoint accepts GET requests despite performing database writes, enabling Cross-Site Request Forgery (CSRF)-like attacks where unauthenticated remote attackers can create API secrets by tricking authenticated users into visiting a malicious URL. No public exploit code or active exploitation has been confirmed at the time of analysis.

CSRF Press
NVD GitHub
CVSS 4.0
6.6
EPSS
0.0%
EPSS 0% CVSS 1.3
LOW PATCH Monitor

Reflected cross-site scripting (XSS) in Frappe Press login page redirect parameter allows unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser upon clicking a malicious link, with user interaction required. The vulnerability affects all versions prior to the patch commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6, which restricts redirects to internal URLs only. CVSS score of 1.3 reflects very low confidentiality, integrity, and availability impact due to scope limitations, though XSS vulnerabilities carry inherent session hijacking and credential theft risks.

XSS Press
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Frappe Press `create_api_secret` endpoint accepts GET requests despite performing database writes, enabling Cross-Site Request Forgery (CSRF)-like attacks where unauthenticated remote attackers can create API secrets by tricking authenticated users into visiting a malicious URL. No public exploit code or active exploitation has been confirmed at the time of analysis.

CSRF Press
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy