Back to search
CVE-2026-3673
Published: Apr 22, 2026
Modified: Apr 22, 2026
PUBLISHED
Description
An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping. This issue affects Frappe: 16.10.10.
| Vendor | Product | Versions |
|---|---|---|
Frappe | Frappe | affected 16.10.10 |
Weaknesses (CWE)
References
https://fluidattacks.com/es/advisories/silvio
third-party-advisory
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now