Primary

Context

Frappe Open Redirect and XSS Vulnerability in Signup Process

Vulnerability

Patched

A vulnerability allowing open redirect or reflected cross-site scripting (XSS) has been identified in the Frappe web application framework, specifically in versions prior to 14.99.14 and 15.94.0. The issue arises when an attacker crafts a malicious signup URL that, upon user registration, redirects to an external site or executes a script, depending on the payload used.

Impact

Exploitation of this vulnerability could result in an open redirect or reflected cross-site scripting, allowing for the potential execution of malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a signup URL that includes a crafted redirect payload. When a user signs up using this URL, the application will either redirect to the specified location or execute a script, depending on the payload.

Remediation

Users are advised to upgrade to Frappe versions 14.99.14 or 15.94.0, where this vulnerability has been patched.

Added: Feb 10, 2026, 6:20 PM

Updated: Feb 11, 2026, 1:34 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.2

exploitability

7.4

remediation

7.7

relevance

3.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.2

exploitability

7.4

remediation

7.7

relevance

3.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Frappe Open Redirect and XSS Vulnerability in Signup Process

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Frappe

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating