CVE-2026-41430 PUBLISHED

Press vulnerable to reflected XSS on login redirection

Assigner: GitHub_M
Reserved: 20.04.2026 Published: 24.04.2026 Updated: 24.04.2026

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
CVSS Score: 1.3

Product Status

Vendor frappe
Product press
Versions
  • Version < 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 is affected

References

Problem Types

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE