Description
An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping

This issue affects Frappe: 16.10.0.
Published: 2026-04-22
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored client‑side XSS allowing arbitrary script execution by a credentialed attacker on other users’ Desk pages
Action: Patch
AI Analysis

Impact

An authenticated attacker can persist crafted values in multiple field types and trigger client‑side script execution when another user opens the affected document in Desk. The vulnerable formatter interpolates stored values into raw HTML attributes and element content without escaping, allowing the attacker’s script to run in the victim’s browser.

Affected Systems

The Frappe Framework version 16.10.0 is affected. No other versions or vendors are listed.

Risk and Exploitability

The CVSS score of 4.6 classifies this as medium severity and indicates that user authentication is required for exploitation. The EPSS score of < 1% shows an extremely low likelihood of exploitation in practice. The vulnerability is not included in the CISA KEV catalog. An attacker must first be authenticated to store malicious data; a second authenticated user must then view the document in Desk for the injected script to execute, and the impact is limited to the victim’s browser.

Generated by OpenCVE AI on April 28, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Frappe release that includes the formatter escaping fix (consult the vendor’s release notes for the applicable patch).
  • Restrict editing of fields that can contain user‑supplied HTML so that only trusted administrators can insert content.
  • Implement a content‑security‑policy header to block inline script execution on the Desk interface as a temporary deterrent.

Generated by OpenCVE AI on April 28, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 27 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping This issue affects Frappe: 16.10.0.
Title Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters
First Time appeared Frappe
Frappe frappe
Weaknesses CWE-79
CPEs cpe:2.3:a:frappe:frappe:16.10.0:*:*:*:*:*:*:*
Vendors & Products Frappe
Frappe frappe
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-04-27T17:37:35.899Z

Reserved: 2026-03-09T15:02:50.797Z

Link: CVE-2026-3837

cve-icon Vulnrichment

Updated: 2026-04-23T13:30:01.311Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T21:17:08.523

Modified: 2026-05-14T21:24:47.993

Link: CVE-2026-3837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses