Reflected XSS Vulnerability in Frappe's Press Custom App
CVE-2026-41430

1.3LOW

Key Information:

Vendor: Frappe
Status: Press
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41430?

The Press application, developed by Frappe, is susceptible to reflected Cross-Site Scripting (XSS) via a vulnerable redirection parameter on the login page. This flaw enables attackers to craft malicious URLs, potentially compromising user data and session integrity. The vulnerability has been addressed in a recent commit, which limits redirects to internal URLs only, enhancing the overall security posture of the application.

Affected Version(s)

press < 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6

References

https://github.com/frappe/press/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/frappe/press/commit/16d1b6ca2559f858a1...

x_refsource_MISC

CVSS V4

Score:

1.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41430 Data

JSON