← Voltar para CVEs
CVE-2026-3837
N/ADescricao
An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping This issue affects Frappe: 16.10.0.
Detalhes CVE
Pontuacao CVSS v3.1N/A
Publicado4/22/2026
Ultima modificacao4/22/2026
Fontenvd
Avistamentos honeypot0
Fraquezas (CWE)
CWE-79
Referencias
https://fluidattacks.com/es/advisories/sabina(help@fluidattacks.com)
https://github.com/frappe/frappe(help@fluidattacks.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.