CVE-2026-25956 Overview
CVE-2026-25956 is an open redirect and reflected Cross-Site Scripting (XSS) vulnerability affecting the Frappe full-stack web application framework. Prior to versions 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a Frappe site that leads to an open redirect or reflected XSS when a user signs up, depending on the crafted payload. This vulnerability arises from insufficient sanitization of the redirect URL parameter during the signup process.
Critical Impact
Attackers can exploit this vulnerability to redirect users to malicious websites or execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to credential theft, session hijacking, or phishing attacks.
Affected Products
- Frappe Framework versions prior to 14.99.14
- Frappe Framework versions prior to 15.94.0
- Applications built on vulnerable Frappe Framework versions
Discovery Timeline
- 2026-02-10 - CVE-2026-25956 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2026-25956
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The vulnerability exists in the user signup functionality of the Frappe framework, where the redirect URL parameter was not properly sanitized before being used.
When a user registers through a signup URL containing a malicious redirect parameter, the framework would process this parameter without adequate validation. This allows an attacker to inject arbitrary redirect destinations or JavaScript code that executes when the signup process completes. The attack requires user interaction—specifically, the victim must click on the malicious signup link and complete the registration process.
The scope is changed (S:C in CVSS terms), meaning the vulnerable component (the Frappe framework) and the impacted component (the user's browser or another domain) are different, which can amplify the impact of successful exploitation.
Root Cause
The root cause of this vulnerability is the lack of proper sanitization for the redirect URL parameter in the signup workflow. The sign_up function in frappe/core/doctype/user/user.py did not validate or sanitize redirect URLs before using them, allowing attackers to specify arbitrary redirect destinations including JavaScript URI schemes for XSS attacks.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker crafts a malicious signup URL containing a specially crafted redirect parameter. When shared with potential victims (via email, social media, or other means), users who click the link and complete the signup process are redirected to an attacker-controlled destination or have malicious JavaScript executed in their browser context.
Attack scenarios include:
- Open Redirect: Redirecting users to phishing sites that mimic the legitimate application to steal credentials
- Reflected XSS: Executing JavaScript to steal session tokens, perform actions on behalf of the user, or deface the application interface
# Security patch showing the fix - sanitize_redirect import added
# Source: https://github.com/frappe/frappe/commit/22cac9dd240dc1fa00d4bab7e3887b70faf22bd1
from frappe.utils.password import update_password as _update_password
from frappe.utils.user import get_system_managers
from frappe.website.utils import get_home_page, is_signup_disabled
+from frappe.www.login import sanitize_redirect
desk_properties = (
"search_bar",
The patch imports the sanitize_redirect function from the login module and applies it to validate redirect URLs during the signup process, preventing malicious redirects and XSS payloads.
Detection Methods for CVE-2026-25956
Indicators of Compromise
- Unusual signup URLs containing external domains or JavaScript URI schemes in redirect parameters
- Web server logs showing signup requests with encoded payloads in query parameters
- Reports from users being redirected to unexpected websites after registration
- Browser console errors indicating blocked or attempted XSS execution
Detection Strategies
- Monitor web application logs for signup requests containing suspicious redirect parameters such as javascript:, data:, or external domain URLs
- Implement Content Security Policy (CSP) headers to detect and block XSS attempts
- Use Web Application Firewall (WAF) rules to flag requests with common XSS patterns in URL parameters
- Review authentication and registration flow logs for anomalous redirect patterns
Monitoring Recommendations
- Enable verbose logging for the Frappe framework's authentication and signup modules
- Set up alerts for HTTP requests to signup endpoints containing encoded characters or external URLs
- Monitor for CSP violation reports that may indicate XSS exploitation attempts
- Track user-reported phishing or redirect issues that may indicate active exploitation
How to Mitigate CVE-2026-25956
Immediate Actions Required
- Upgrade Frappe Framework to version 14.99.14 or later for the 14.x branch
- Upgrade Frappe Framework to version 15.94.0 or later for the 15.x branch
- Review web server logs for any evidence of exploitation attempts
- Notify users if suspicious signup activity has been detected
Patch Information
The vulnerability is fixed in Frappe Framework versions 14.99.14 and 15.94.0. The fix implements proper sanitization of redirect URLs during the signup process by utilizing the existing sanitize_redirect function from the login module. For detailed patch information, refer to the GitHub Commit and the GitHub Security Advisory GHSA-7m8v-g2pr-h2f7.
Workarounds
- Implement a Web Application Firewall (WAF) rule to block requests containing JavaScript URI schemes or external domains in signup redirect parameters
- Add Content Security Policy headers to prevent inline script execution as a defense-in-depth measure
- Consider temporarily disabling user self-registration until the patch can be applied
- Implement server-side URL validation using an allowlist of permitted redirect destinations
# Example nginx configuration to block suspicious redirect parameters
location /api/method/frappe.core.doctype.user.user.sign_up {
# Block requests with javascript: or external URLs in redirect parameter
if ($query_string ~* "redirect.*(javascript:|https?://[^/]*[^.]+\.[^.]+)") {
return 403;
}
proxy_pass http://frappe_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
