Security Advisory

CVE-2026-3673

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-04-22 19:32:36

Last updated 2026-04-22 19:58:00

Assigner Fluid Attacks

State PUBLISHED

Description

An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping. This issue affects Frappe: 16.10.10.

← Browse all CVEs View on cve.org ↗