Description
Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user signs up. This vulnerability is fixed in 14.99.14 and 15.94.0.
Published: 2026-02-10
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting and Open Redirect
Action: Apply Patch
AI Analysis

Impact

The Frappe framework contains a flaw that allows an attacker to construct a special sign‑up URL. When a user follows the link during registration, the browser may be redirected to an attacker‑chosen site or may execute a reflected cross‑site scripting payload. The vulnerability is linked to CWE‑79 (XSS) and CWE‑601 (Open Redirect).

Affected Systems

Any installation of the Frappe framework built prior to version 14.99.14 or 15.94.0 is affected. The issue arises in the public framework through its sign‑up functionality, affecting all sites that use the default registration flow without additional safeguards.

Risk and Exploitability

The CVSS score of 6.1 classifies the issue as Medium severity. The EPSS score is below 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to craft a malicious link and convince a user to click on it during the sign‑up process. This suggests that successful exploitation depends on user interaction, which may limit the threat surface but still permits redirect or scripting attacks when the user follows the link.

Generated by OpenCVE AI on April 18, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Frappe framework to version 14.99.14, 15.94.0, or any newer release that contains the vendor patch.
  • If an upgrade is delayed, modify the sign‑up endpoint to reject or neutralize any query parameters that influence redirection and strip potentially dangerous characters that could form reflected scripts.
  • Observe sign‑up traffic for anomalous URLs or unexpected redirects, and block traffic from sites known to contain malicious content or otherwise suspect domains.

Generated by OpenCVE AI on April 18, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user signs up. This vulnerability is fixed in 14.99.14 and 15.94.0.
Title Frappe Affected by XSS and Open Redirect in Sign Up
Weaknesses CWE-601
CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T19:27:58.893Z

Reserved: 2026-02-09T17:13:54.065Z

Link: CVE-2026-25956

cve-icon Vulnrichment

Updated: 2026-02-10T19:27:44.902Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:38.653

Modified: 2026-02-17T15:05:39.610

Link: CVE-2026-25956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses