Frappe Framework 16.10.0 Stored DOM XSS in Tag Pill Renderer (CVE-2026-3673)

Frappe Framework 16.10.0 Stored DOM XSS Vulnerability Summary Vulnerability Overview Vulnerability Name: Frappe Framework 16.10.0 – Stored DOM XSS in Tag Pill Renderer Vulnerability Type: Stored DOM XSS (Stored DOM XSS) CVSS Score: 4.6 (Medium) CVE ID: CVE-2026-3673 Discoverer: Oscar Uribe (Fluid Attacks AI SAST Scanner) Disclosure Date: April 21, 2026 Impact Scope Affected Product: Frappe Framework Affected Version: 16.10.0 Status: Public Exploitation Requirement: Authenticated user privileges required Attack Method: Attacker can inject malicious tags into ; when other users open list/report views, JavaScript execution is triggered Vulnerability Details Vulnerability Path 1. Source: Attacker-controlled tag value passed via 2. Persistence: stores comma-separated tags 3. Injection Point: In renderer: - Title uses - Tags are not escaped in inner HTML 4. DOM Insertion: Rendered HTML is inserted into list/report view, enabling attribute injection (e.g., ) PoC Code Exploitation Steps 1. Visit: 2. Enable "Show Tags" list setting (if hidden) 3. Hover mouse over the malicious tag Remediation Current Status: No patch available yet Recommended Measures: - Apply HTML escaping to tag content - Avoid directly inserting user input into inner HTML - Implement Content Security Policy (CSP) to restrict script execution Timeline March 6, 2026: Vulnerability discovered March 5, 2026: Vendor contacted March 24, 2026: Vendor responded April 21, 2026: Public disclosure

Goal Reached Thanks to every supporter — we hit 100%!

Frappe Framework 16.10.0 Stored DOM XSS in Tag Pill Renderer (CVE-2026-3673)