CVE-2026-3673 Overview
CVE-2026-3673 is a Stored Cross-Site Scripting (XSS) vulnerability in Frappe Framework version 16.10.10. An authenticated attacker can store a crafted tag value in the _user_tags field and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without proper escaping, enabling persistent XSS attacks.
Critical Impact
Authenticated attackers can inject malicious JavaScript that executes in victims' browsers when viewing tag-rendered content, potentially leading to session hijacking, credential theft, or further compromise of the Frappe application.
Affected Products
- Frappe Framework version 16.10.10
Discovery Timeline
- 2026-04-22 - CVE-2026-3673 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-3673
Vulnerability Analysis
This vulnerability represents a classic Stored Cross-Site Scripting (CWE-79) flaw where user-controlled input is persisted in the database and later rendered in victims' browsers without adequate sanitization. The attack requires authentication to store the malicious payload, but the impact extends to any user who subsequently views the affected list or report views.
The core issue lies in the tag rendering mechanism that interpolates _user_tags content directly into HTML without proper output encoding. When tag values are rendered in list views or reports, the application fails to escape special HTML characters, allowing script injection through crafted tag strings.
The vulnerability requires user interaction as the victim must navigate to a view where the malicious tags are rendered. The impact is limited to the session context of other users viewing the compromised content, potentially enabling attackers to steal session tokens, perform actions on behalf of victims, or redirect users to malicious sites.
Root Cause
The root cause is improper output encoding in Frappe's tag rendering component. When the application displays user tags in list and report views, it interpolates tag content directly into HTML element attributes and content without applying context-appropriate escaping functions. This violates secure coding practices for handling untrusted data in HTML contexts.
Attack Vector
The attack follows a network-based, authenticated exploitation path:
- An authenticated attacker with tag creation privileges crafts a malicious tag value containing JavaScript payload
- The attacker stores this value in the _user_tags field associated with a document or record
- When any user (victim) navigates to a list view or report that renders the tagged item, the malicious script executes in their browser context
- The script can access the victim's session, cookies, and perform actions within the application on their behalf
The malicious payload is embedded in tag content that bypasses the renderer's lack of sanitization. For example, an attacker might craft a tag containing event handlers or script elements that execute when interpolated into the DOM. For detailed technical exploitation information, refer to the Fluid Attacks Security Advisory.
Detection Methods for CVE-2026-3673
Indicators of Compromise
- Unusual or suspicious values in _user_tags fields containing HTML special characters (<, >, ", ') or JavaScript keywords (script, onerror, onload)
- Database records with tag values containing encoded JavaScript payloads or event handlers
- Client-side errors or unexpected script execution when rendering list/report views
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS patterns in POST/PUT requests targeting tag-related endpoints
- Monitor application logs for requests containing potential XSS payloads in tag parameters
- Deploy Content Security Policy (CSP) headers to detect and report inline script execution attempts
- Conduct regular database audits for suspicious patterns in _user_tags columns
Monitoring Recommendations
- Enable browser-side CSP violation reporting to capture attempted XSS exploitation
- Monitor authentication logs for accounts creating unusual tag values
- Implement real-time alerting for database modifications to tag fields containing script-like content
- Review access logs for patterns indicating reconnaissance of tag rendering functionality
How to Mitigate CVE-2026-3673
Immediate Actions Required
- Audit existing _user_tags entries in the database for malicious payloads and sanitize or remove suspicious values
- Implement strict input validation on tag creation endpoints to reject HTML special characters and JavaScript keywords
- Deploy Content Security Policy (CSP) headers with strict inline script restrictions
- Consider temporarily restricting tag creation privileges to trusted administrators
Patch Information
Users should monitor the Frappe GitHub Repository for security updates addressing this vulnerability. Review the Fluid Attacks Security Advisory for additional remediation guidance from the vulnerability researchers.
Workarounds
- Implement server-side output encoding for all tag content before HTML rendering using context-appropriate escaping functions
- Apply input validation to reject tags containing HTML metacharacters or script patterns
- Deploy restrictive Content Security Policy headers to prevent inline script execution as a defense-in-depth measure
- Limit tag creation capabilities to trusted user roles until a patch is available
# Example CSP header configuration for nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
