{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25956", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:13:54.065Z", "datePublished": "2026-02-10T17:39:20.430Z", "dateUpdated": "2026-02-10T19:27:58.893Z"}, "containers": {"cna": {"title": "Frappe Affected by XSS and Open Redirect in Sign Up", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/frappe/frappe/security/advisories/GHSA-7m8v-g2pr-h2f7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-7m8v-g2pr-h2f7"}, {"name": "https://github.com/frappe/frappe/commit/22cac9dd240dc1fa00d4bab7e3887b70faf22bd1", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/frappe/commit/22cac9dd240dc1fa00d4bab7e3887b70faf22bd1"}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"version": "< 14.99.14", "status": "affected"}, {"version": ">= 15.0.0, < 15.94.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-10T17:39:20.430Z"}, "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user signs up. This vulnerability is fixed in 14.99.14 and 15.94.0."}], "source": {"advisory": "GHSA-7m8v-g2pr-h2f7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T19:27:39.316588Z", "id": "CVE-2026-25956", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T19:27:58.893Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25956", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T19:27:39.316588Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T19:27:44.902Z"}}], "cna": {"title": "Frappe Affected by XSS and Open Redirect in Sign Up", "source": {"advisory": "GHSA-7m8v-g2pr-h2f7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"status": "affected", "version": "< 14.99.14"}, {"status": "affected", "version": ">= 15.0.0, < 15.94.0"}]}], "references": [{"url": "https://github.com/frappe/frappe/security/advisories/GHSA-7m8v-g2pr-h2f7", "name": "https://github.com/frappe/frappe/security/advisories/GHSA-7m8v-g2pr-h2f7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/frappe/frappe/commit/22cac9dd240dc1fa00d4bab7e3887b70faf22bd1", "name": "https://github.com/frappe/frappe/commit/22cac9dd240dc1fa00d4bab7e3887b70faf22bd1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user signs up. This vulnerability is fixed in 14.99.14 and 15.94.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-10T17:39:20.430Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25956", "state": "PUBLISHED", "dateUpdated": "2026-02-10T19:27:58.893Z", "dateReserved": "2026-02-09T17:13:54.065Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-10T17:39:20.430Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "matchCriteriaId": "B90A466B-0D94-4B17-8525-15F4528579DE", "versionEndExcluding": "14.99.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C5DE833-AC0F-4270-B614-CE4F8CAE7AC6", "versionEndExcluding": "15.94.0", "versionStartIncluding": "15.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user signs up. This vulnerability is fixed in 14.99.14 and 15.94.0."}], "id": "CVE-2026-25956", "lastModified": "2026-02-17T15:05:39.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-10T18:16:38.653", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/frappe/frappe/commit/22cac9dd240dc1fa00d4bab7e3887b70faf22bd1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-7m8v-g2pr-h2f7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,14.99.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[15.0.0,15.94.0)"}}], "product": "frappe", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-04-18T12:50:39.126644+00:00", "value": {"mitigation_remediation": ["Update the Frappe framework to version 14.99.14, 15.94.0, or any newer release that contains the vendor patch.", "If an upgrade is delayed, modify the sign\u2011up endpoint to reject or neutralize any query parameters that influence redirection and strip potentially dangerous characters that could form reflected scripts.", "Observe sign\u2011up traffic for anomalous URLs or unexpected redirects, and block traffic from sites known to contain malicious content or otherwise suspect domains."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting and Open Redirect"}, "threat_synthesis": {"affected_systems": "Any installation of the Frappe framework built prior to version 14.99.14 or 15.94.0 is affected. The issue arises in the public framework through its sign\u2011up functionality, affecting all sites that use the default registration flow without additional safeguards.", "description_and_impact": "The Frappe framework contains a flaw that allows an attacker to construct a special sign\u2011up URL. When a user follows the link during registration, the browser may be redirected to an attacker\u2011chosen site or may execute a reflected cross\u2011site scripting payload. The vulnerability is linked to CWE\u201179 (XSS) and CWE\u2011601 (Open Redirect).", "risk_and_exploitability": "The CVSS score of 6.1 classifies the issue as Medium severity. The EPSS score is below 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to craft a malicious link and convince a user to click on it during the sign\u2011up process. This suggests that successful exploitation depends on user interaction, which may limit the threat surface but still permits redirect or scripting attacks when the user follows the link."}}}}, "created": "2026-02-10T21:41:56.474581+00:00", "updated": "2026-04-18T13:00:08.728521+00:00", "vendors": ["frappe", "frappe$PRODUCT$frappe"]}