CVE-2026-3837

MEDIUM

Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters

Title source: cna

Description

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping This issue affects Frappe: 16.10.0.

References (2)

[Third Party Advisory] https://fluidattacks.com/es/advisories/sabina

[Product] https://github.com/frappe/frappe

Scores

CVSS v4 4.6

EPSS 0.0007

EPSS Percentile 21.5%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Details

CWE

CWE-79

Status published

Products (1)

Frappe/Frappe 16.10.0

Published Apr 22, 2026

Tracked Since Apr 23, 2026