CVE-2026-41430 Overview
CVE-2026-41430 is a reflected Cross-Site Scripting (XSS) vulnerability in Frappe Press, a custom application that powers Frappe Cloud for managing infrastructure, subscriptions, marketplace, and software-as-a-service (SaaS) deployments. The vulnerability exists in the redirect parameter on the login page, which fails to properly validate user-supplied input before using it in a redirect operation.
Critical Impact
Attackers can craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to session hijacking or credential theft.
Affected Products
- Frappe Press (versions prior to commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6)
Discovery Timeline
- April 24, 2026 - CVE CVE-2026-41430 published to NVD
- April 30, 2026 - Last updated in NVD database
Technical Details for CVE-2026-41430
Vulnerability Analysis
This reflected XSS vulnerability occurs in the login flow of the Frappe Press dashboard. The redirect query parameter is accepted on the login page and used directly to redirect users after successful authentication. Prior to the security patch, the application did not validate whether the redirect URL was an internal path, allowing attackers to inject external URLs or JavaScript payloads.
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The attack requires user interaction—a victim must click a crafted malicious link—but requires no authentication to exploit, as the attack occurs during the login process itself.
Root Cause
The root cause is insufficient input validation on the redirect query parameter in the LoginSignup.vue component. The original implementation blindly accepted any value provided in the redirect parameter and used it directly in window.location.href after successful authentication. This design flaw allowed attackers to supply arbitrary URLs, including protocol-relative URLs (//malicious.com) or JavaScript URIs, bypassing any expectation of internal-only redirects.
Attack Vector
The attack vector is network-based, requiring an attacker to craft a malicious URL and convince a victim to click it. The attack flow typically involves:
- Attacker crafts a malicious URL with a payload in the redirect parameter
- Victim clicks the link and is presented with the legitimate login page
- After authentication, the victim is redirected to the attacker-controlled destination
- The malicious redirect can execute JavaScript or redirect to a phishing page
},
afterLogin(res) {
let loginRoute = `/dashboard${res.dashboard_route || '/'}`;
- // if query param redirect is present, redirect to that route
- if (this.$route.query.redirect) {
- loginRoute = this.$route.query.redirect;
+ // If `redirect` is present in query, redirect to that.
+ // Restrict redirect to relative paths.
+ const redirect = this.$route.query.redirect;
+ if (redirect && redirect.startsWith('/') && !redirect.startsWith('//')) {
+ loginRoute = redirect;
}
localStorage.setItem('login_email', this.email);
window.location.href = loginRoute;
Source: GitHub Commit Details
Detection Methods for CVE-2026-41430
Indicators of Compromise
- Login URLs containing suspicious redirect parameter values with external domains or protocol-relative URLs (//)
- Web server access logs showing login page requests with JavaScript schemes in query strings
- Unusual redirects away from the Frappe Press domain immediately following authentication
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block suspicious redirect parameters containing external URLs or JavaScript payloads
- Monitor access logs for login page requests containing redirect parameters with protocol-relative URLs (//) or external domain references
- Deploy browser-based security controls to detect unexpected cross-origin navigation after authentication
Monitoring Recommendations
- Enable detailed logging for authentication endpoints to capture all query parameters
- Configure alerting for login page requests with redirect parameters that do not start with a single forward slash
- Review authentication flow telemetry for any redirects to external domains post-login
How to Mitigate CVE-2026-41430
Immediate Actions Required
- Update Frappe Press to include commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 or later
- Review authentication logs for any evidence of exploitation attempts using malicious redirect parameters
- Implement Content Security Policy (CSP) headers to mitigate potential XSS impact
Patch Information
The vulnerability is fixed in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6. The patch modifies the afterLogin function in dashboard/src/pages/LoginSignup.vue to validate that the redirect parameter starts with a single forward slash (/) and explicitly blocks protocol-relative URLs (those starting with //). Organizations should update their Frappe Press installation to include this commit. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy or WAF rule to strip or validate the redirect query parameter on login endpoints
- Implement server-side validation to ensure all redirect targets are on the same domain before the frontend patch can be applied
- Consider disabling custom redirect functionality temporarily if immediate patching is not possible
# Example Nginx configuration to block suspicious redirect parameters
location /login {
if ($arg_redirect ~* "^(//|http|javascript)") {
return 403;
}
proxy_pass http://frappe_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
