Home

Description

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping This issue affects Frappe: 16.10.0.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-22 | Updated 2026-04-27 | Assigner Fluid Attacks




MEDIUM: 4.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
unaffected

16.10.0
affected

Credits

Fluid Attacks' AI SAST Scanner finder

Oscar Uribe finder

References

fluidattacks.com/es/advisories/sabina third-party-advisory

github.com/frappe/frappe product

github.com/frappe/frappe/pull/38796 patch

cve.org (CVE-2026-3837)

nvd.nist.gov (CVE-2026-3837)

Download JSON