QwikSec

Security Database

CVE

CWE

Training

CVE-2026-3837

Published: Apr 22, 2026

Modified: Apr 27, 2026

PUBLISHED

Description

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping This issue affects Frappe: 16.10.0.

Vendor	Product	Versions
Frappe	Frappe	affected `16.10.0`

Weaknesses (CWE)

References

https://fluidattacks.com/es/advisories/sabina

third-party-advisory

https://github.com/frappe/frappe

product

https://github.com/frappe/frappe/pull/38796

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.