CVE-2026-3837

Source
https://cve.org/CVERecord?id=CVE-2026-3837
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3837.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-3837
Published
2026-04-22T19:52:56.248Z
Modified
2026-07-15T01:49:11.845127614Z
Severity
  • 4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters
Details

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping

This issue affects Frappe: 16.10.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/3xxx/CVE-2026-3837.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "Fluid Attacks"
}
References

Affected packages

Git / github.com/frappe/frappe

Affected ranges

Type
GIT
Repo
https://github.com/frappe/frappe
Events
Database specific
{
    "cpe": "cpe:2.3:a:frappe:frappe:16.10.0:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_STRING"
    ],
    "extracted_events": [
        {
            "introduced": "16.10.0"
        },
        {
            "last_affected": "16.10.0"
        }
    ]
}

Affected versions

16.*
16.10.0
v16.*
v16.10.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3837.json"