Description
An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping.
This issue affects Frappe: 16.10.10.
Published: 2026-04-22
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client-side code execution
Action: Update
AI Analysis

Impact

An authenticated attacker can store a crafted tag value in the _user_tags field and trigger JavaScript execution when a victim opens a list or report view where tags are rendered. The renderer interpolates tag content directly into HTML attributes and element content without proper escaping, enabling the attacker to run arbitrary JavaScript code in the victim’s browser. This can lead to data theft, session hijacking, or defacement of the application interface. The vulnerability is a Stored DOM‑XSS flaw, identified as CWE‑79.

Affected Systems

The affected product is the Frappe Framework version 16.10.10. The vulnerability exists in deployments on Linux, macOS, and Windows platforms as indicated by the corresponding CPE entries. Only installations that use the vulnerable tag renderer and allow authenticated users to store tag values are impacted.

Risk and Exploitability

The CVSS score is 4.6, reflecting moderate complexity and the requirement for authentication. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog, suggesting a lower likelihood of widespread active exploitation. Nevertheless, because it enables client‑side code execution, administrators should address it promptly and restrict access to the tag editing functionality until a fix is applied.

Generated by OpenCVE AI on April 27, 2026 at 08:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a patch or upgrade to the latest Frappe Framework release that fixes the stored XSS flaw (consult the Frappe community or GitHub for update details).
  • Restrict or disable the ability for users to edit the _user_tags field to prevent malicious content from being stored.
  • Implement server‑side sanitization or additional escaping of tag values before rendering them to clients to mitigate the risk of injection.

Generated by OpenCVE AI on April 27, 2026 at 08:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:frappe:16.10.10:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 22 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping. This issue affects Frappe: 16.10.10.
Title Frappe Framework 16.10.0 - Stored DOM XSS in Tag Pill Renderer
First Time appeared Frappe
Frappe frappe
Weaknesses CWE-79
CPEs cpe:2.3:a:frappe:frappe:16.10.10:*:linux:*:*:*:*:*
cpe:2.3:a:frappe:frappe:16.10.10:*:macos:*:*:*:*:*
cpe:2.3:a:frappe:frappe:16.10.10:*:windows:*:*:*:*:*
Vendors & Products Frappe
Frappe frappe
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-04-22T19:58:00.187Z

Reserved: 2026-03-06T21:12:23.365Z

Link: CVE-2026-3673

cve-icon Vulnrichment

Updated: 2026-04-22T19:56:41.273Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T20:16:41.790

Modified: 2026-05-12T15:48:35.180

Link: CVE-2026-3673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T18:42:00Z

Weaknesses