CVE-2026-3837

CVE Database · CVE-2026-3837

CVE-2026-3837

· MEDIUMAnalyzed

CVSS v3.1

5.4

CVSS v4.0

4.6

EPSS

0.19%

Published

Apr 22, 2026

Modified

May 14, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping This issue affects Frappe: 16.10.0.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Weaknesses (CWE)

CWE-79

Affected Products (1)

frappe · frappevulnerable

References (3)

https://fluidattacks.com/es/advisories/sabina

ExploitThird Party Advisory

https://github.com/frappe/frappe

Product

https://github.com/frappe/frappe/pull/38796

Issue TrackingPatch

KEV Catalog EPSS Scores Vendors All CVEs