{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-3837","assignerOrgId":"84fe0718-d6bb-4716-a7e8-81a6d1daa869","state":"PUBLISHED","assignerShortName":"Fluid Attacks","dateReserved":"2026-03-09T15:02:50.797Z","datePublished":"2026-04-22T19:52:56.248Z","dateUpdated":"2026-04-27T17:37:35.899Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Frappe","vendor":"Frappe","versions":[{"status":"affected","version":"16.10.0"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:frappe:frappe:16.10.0:*:*:*:*:*:*:*","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"Fluid Attacks' AI SAST Scanner"},{"lang":"en","type":"finder","value":"Oscar Uribe"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: rgb(255, 255, 255);\">An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping</span><br><br><p>This issue affects Frappe: 16.10.0.</p>"}],"value":"An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escaping\n\nThis issue affects Frappe: 16.10.0."}],"impacts":[{"capecId":"CAPEC-592","descriptions":[{"lang":"en","value":"CAPEC-592 Stored XSS"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":4.6,"baseSeverity":"MEDIUM","privilegesRequired":"HIGH","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"ACTIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"84fe0718-d6bb-4716-a7e8-81a6d1daa869","shortName":"Fluid Attacks","dateUpdated":"2026-04-27T17:37:35.899Z"},"references":[{"tags":["third-party-advisory"],"url":"https://fluidattacks.com/es/advisories/sabina"},{"tags":["product"],"url":"https://github.com/frappe/frappe"},{"tags":["patch"],"url":"https://github.com/frappe/frappe/pull/38796"}],"source":{"discovery":"UNKNOWN"},"title":"Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-23T13:29:56.841031Z","id":"CVE-2026-3837","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-23T16:25:12.150Z"}}]}}