CVE-2026-3837
MEDIUMFrappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters
Title source: cnaDescription
An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping This issue affects Frappe: 16.10.0.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
https://fluidattacks.com/es/advisories/sabina
Product product
https://github.com/frappe/frappe
Patch patch
https://github.com/frappe/frappe/pull/38796
Scores
CVSS v3
5.4
EPSS
0.0019
EPSS Percentile
9.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
frappe/frappe
16.10.0
Frappe/Frappe
16.10.0
Published
Apr 22, 2026
Tracked Since
Apr 23, 2026