Description
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only.
Published: 2026-04-24
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting via the login redirect parameter
Action: Patch
AI Analysis

Impact

Press’s login page accepts a redirect parameter that is reflected back into the response without proper sanitization, enabling attackers to inject JavaScript. If a victim clicks a malicious link containing a crafted redirect, the injected script runs in the user’s browser, potentially allowing cookie theft, defacement, or phishing attacks. The CVSS score of 1.3 indicates a low overall severity, but the vulnerability could be abused if users are tricked into following a malicious redirect.

Affected Systems

The Frappe Press application, which powers Frappe Cloud’s infrastructure, subscription, and SaaS services, is affected. No version detail is provided, so any deployment of Press that includes the vulnerable login redirect code is potentially impacted.

Risk and Exploitability

The CVSS score of 1.3 and an EPSS below 1% show that the likelihood of exploitation is very low at present, and the issue is not listed in CISA’s KEV catalog. The attack vector is inferred to be a user clicking a crafted URL that triggers the vulnerable redirect. While the exploit is possible, it requires social engineering or phishing techniques to lure a user into executing the malicious script.

Generated by OpenCVE AI on April 28, 2026 at 07:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe Press to a revision that includes commit 16d1b6ca (or any later release that incorporates the published patch).
  • Modify the login redirect handler to whitelist only relative URLs or those that belong to the same host, rejecting external or absolute URLs that could be used for malicious scripting.
  • Enforce a strong Content Security Policy that disallows inline scripts and isolates trusted domains, and consider using a web application firewall to block unexpected script injections in the redirect response.

Generated by OpenCVE AI on April 28, 2026 at 07:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:press:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 27 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe press
Vendors & Products Frappe
Frappe press

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only.
Title Press vulnerable to reflected XSS on login redirection
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U'}

Subscriptions

Frappe Press
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:17:49.311Z

Reserved: 2026-04-20T15:32:33.814Z

Link: CVE-2026-41430

cve-icon Vulnrichment

Updated: 2026-04-24T17:24:18.685Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T04:16:21.000

Modified: 2026-04-30T14:51:51.090

Link: CVE-2026-41430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses