Medium severity5.4NVD Advisory· Published Apr 22, 2026· Updated May 14, 2026
CVE-2026-3837
CVE-2026-3837
Description
An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping
This issue affects Frappe: 16.10.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
2- github.com/frappe/frappe/pull/38796nvdIssue TrackingPatch
- fluidattacks.com/es/advisories/sabinanvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.