Open Redirect and Reflected XSS Vulnerability in Frappe Web Application Framework
CVE-2026-25956

6.1MEDIUM

Key Information:

Vendor: Frappe
Status: Frappe
Vendor: CVE Published:; 10 February 2026

What is CVE-2026-25956?

The Frappe Web Application Framework is susceptible to a security flaw that allows attackers to create malicious signup URLs. This vulnerability can result in either an open redirect or reflected XSS attacks, depending on the malicious payload used. Users signing up on a compromised Frappe site may inadvertently expose themselves to these threats. The issue has been addressed in version 14.99.14 and 15.94.0, providing critical updates for users to ensure their applications are secure.

Affected Version(s)

frappe < 14.99.14 < 14.99.14

frappe >= 15.0.0, < 15.94.0 < 15.0.0, 15.94.0

References

https://github.com/frappe/frappe/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/frappe/frappe/commit/22cac9dd240dc1fa0...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2026
Vulnerability Reserved
Feb 9, 2026

CVE-2026-25956 Data

JSON