Medium severity5.4NVD Advisory· Published Apr 22, 2026· Updated May 14, 2026

CVE-2026-3837

Description

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping

This issue affects Frappe: 16.10.0.

Affected products

Frappe/Frappereferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/frappe/frappe/pull/38796nvdIssue TrackingPatch
fluidattacks.com/es/advisories/sabinanvdExploitThird Party Advisory

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

5.4/ 10

CVSS v44.6

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: Required
Scope: Changed
Confidentiality: Low
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.35medium

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE ID

CVE-2026-3837

Source code

github.com/frappe/frappe

Credits

FA
Fluid Attacks' AI SAST Scanner
finder
OU
Oscar Uribe
finder