Press vulnerable to reflected XSS on login redirection_CVE-2026-41430

1.3 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

Description

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only.

Basic Information

ID CVE-2026-41430

Source GitHub_M

Published Apr 24, 2026 at 02:42

Affected Product

Vendor frappe

Product press

Version < 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6

Affected Versions frappe press < 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only.",
    "published": "2026-04-24T02:42:30.228Z",
    "modified": "2026-04-24T02:42:30.228Z",
    "type": "cve",
    "title": "Press vulnerable to reflected XSS on login redirection",
    "source": "GitHub_M",
    "references": "https://github.com/frappe/press/security/advisories/GHSA-mpww-rq79-8r2c\nhttps://github.com/frappe/press/commit/16d1b6ca2559f858a1de77bcb03fd7f1b81671c6",
    "id": "CVE-2026-41430",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "frappe press < 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6",
    "sourceHref": "",
    "cvss": {
        "score": 1.3,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "press",
    "version": "< 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6",
    "vendor": "frappe",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}