Frappe Framework 16.10.0 – Stored DOM XSS in Multiple Field...

4.6 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping

This issue affects Frappe: 16.10.0.

Basic Information

ID CVE-2026-3837

Source Fluid Attacks

Published Apr 22, 2026 at 19:52

Affected Product

Vendor Frappe

Product Frappe

Version 16.10.0

Affected Versions Frappe Frappe 16.10.0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping\n\nThis issue affects Frappe: 16.10.0.",
    "published": "2026-04-22T19:52:56.248Z",
    "modified": "2026-04-22T19:52:56.248Z",
    "type": "cve",
    "title": "Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters",
    "source": "Fluid Attacks",
    "references": "https://fluidattacks.com/es/advisories/sabina\nhttps://github.com/frappe/frappe",
    "id": "CVE-2026-3837",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "Frappe Frappe 16.10.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.6,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Frappe",
    "version": "16.10.0",
    "vendor": "Frappe",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Frappe Framework 16.10.0 – Stored DOM XSS in Multiple Field Formatters_CVE-2026-3837