Medium severity6.1NVD Advisory· Published Apr 24, 2026· Updated Apr 30, 2026

CVE-2026-41430

Description

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only.

Affected products

Frappe/Press
cpe:2.3:a:frappe:press:*:*:*:*:*:*:*:*
Range: <0.16.0

Patches

16d1b6ca2559

fix(dashboard): Restrict redirect after login to relative paths

https://github.com/frappe/pressSabu SiyadApr 10, 2026via nvd-ref

commit

1 file changed · +5 −3

dashboard/src/pages/LoginSignup.vue+5 −3 modified

@@ -822,9 +822,11 @@ export default {
 		},
 		afterLogin(res) {
 			let loginRoute = `/dashboard${res.dashboard_route || '/'}`;
-			// if query param redirect is present, redirect to that route
-			if (this.$route.query.redirect) {
-				loginRoute = this.$route.query.redirect;
+			// If `redirect` is present in query, redirect to that.
+			// Restrict redirect to relative paths.
+			const redirect = this.$route.query.redirect;
+			if (redirect && redirect.startsWith('/') && !redirect.startsWith('//')) {
+				loginRoute = redirect;
 			}
 			localStorage.setItem('login_email', this.email);
 			window.location.href = loginRoute;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/frappe/press/commit/16d1b6ca2559f858a1de77bcb03fd7f1b81671c6nvdPatch
github.com/frappe/press/security/advisories/GHSA-mpww-rq79-8r2cnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000