VYPR
Medium severity5.4NVD Advisory· Published Apr 22, 2026· Updated May 14, 2026

CVE-2026-3837

CVE-2026-3837

Description

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping

This issue affects Frappe: 16.10.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Frappe/Frappereferences3 versions
    (expand)+ 2 more
    • (no CPE)
    • cpe:2.3:a:frappe:frappe:16.10.0:*:*:*:*:*:*:*
    • (no CPE)range: = 16.10.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.