CVE-2026-3673

Vulnerability Description

An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping.
This issue affects Frappe: 16.10.10.

Vulnerability Details

Published Date

April 22, 2026

Last Modified

April 22, 2026

CWE ID

CWE-79

Source

NVD

External References

https://fluidattacks.com/es/advisories/silvio
https://github.com/frappe/frappe
https://fluidattacks.com/es/advisories/silvio

CVE-2026-3673

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment