# Frappe Framework v16.10.0 Stored DOM XSS Vulnerability Summary ## Vulnerability Overview * **Vulnerability Name**: Frappe Framework v16.10.0 - Stored DOM XSS in Multiple Field Formatters * **CVE ID**: CVE-2026-3837 * **CVSS Score**: 4.6 (Medium) * **Vulnerability Type**: Stored DOM XSS (Stored DOM XSS) * **Discoverer**: Oscar Uribe (Fluid Attacks AI SAST Scanner) * **Vulnerability Description**: An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when other users open the affected documents. The vulnerable formatter implementations insert stored values into raw HTML attributes and element content without escaping. ## Impact Scope * **Affected Software**: Frappe Framework * **Affected Version**: v16.10.0 * **Affected Components**: * Color formatter * Icon formatter * **Exploitation Conditions**: Requires user login privileges (Authenticated attacker). ## Remediation * **Current Status**: There is currently no patch available for this vulnerability. * **Recommendation**: Wait for the official fix release. ## POC Code & Exploitation Details ### 1. Vulnerability Path Analysis * **Source**: Attacker-controlled field values submitted through normal web flow and tampered during transmission. * **Persistence**: Backend stores these values because these field types lack strict server-side validation, and the HTML sanitizer does not trigger on payloads containing ``. * **Sink builders**: * `frappe.form.formatters.Color` renderer: ```html ``` * `frappe.form.formatters.Icon` renderer: ```html ``` * `frappe.utils.icon()` function: ```html ``` * **DOM insertion**: The formatted HTML is inserted into the Desk display mode, making attribute injection possible. ### 2. Related Code Files * `frappe/frappe/public/js/frappe/form/formatters.js` (Lines 397-409) * `frappe/frappe/public/js/frappe/utils/utils.js` (Lines 1424-1452) * `frappe/frappe/public/js/frappe/form/controls/base_input.js` * `frappe/frappe/public/js/frappe/form/controls/color.js` * `frappe/frappe/public/js/frappe/form/controls/icon.js` * `frappe/frappe/model/base_document.py` ### 3. Specific Exploit Code (PoC) #### Color formatter 1. Log in to Desk as an authenticated user. 2. Open a document containing a Color field. 3. Use Burp Suite to intercept the save request and replace the Color field value with: ```javascript onmouseover="alert(7441)" ``` 4. Forward the request to store the tampered value. 5. Access the affected record. #### Icon formatter 1. Log in to Desk as an authenticated user. 2. Open a document containing an Icon field. 3. Use Burp Suite to intercept the save request and replace the Icon field value with: ```javascript folder-normal" onmouseover="alert(7551)" ``` 4. Forward the request to store the tampered value. 5. Access the affected record.