Cross-Site Scripting Vulnerability in Frappe by Frappe Technologies
CVE-2026-3673

4.6MEDIUM

Key Information:

Vendor: Frappe
Status: Frappe
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-3673?

An authenticated attacker can exploit a vulnerability in Frappe to inject crafted tag values into user tags, enabling the execution of JavaScript when a victim views tag lists or reports. The system fails to properly escape the interpolated tag content within HTML attributes and elements, leading to potential security breaches. Organizations using affected versions should implement patches to mitigate this risk.

Affected Version(s)

Frappe Windows 16.10.10

References

https://fluidattacks.com/es/advisories/silvio

third-party-advisory

https://github.com/frappe/frappe

product

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 6, 2026

Credit

Fluid Attacks' AI SAST Scanner

Oscar Uribe

CVE-2026-3673 Data

JSON