{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41430", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T15:32:33.814Z", "datePublished": "2026-04-24T02:42:30.228Z", "dateUpdated": "2026-04-24T18:17:49.311Z"}, "containers": {"cna": {"title": "Press vulnerable to reflected XSS on login redirection", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 1.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/frappe/press/security/advisories/GHSA-mpww-rq79-8r2c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/press/security/advisories/GHSA-mpww-rq79-8r2c"}, {"name": "https://github.com/frappe/press/commit/16d1b6ca2559f858a1de77bcb03fd7f1b81671c6", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/press/commit/16d1b6ca2559f858a1de77bcb03fd7f1b81671c6"}], "affected": [{"vendor": "frappe", "product": "press", "versions": [{"version": "< 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T02:42:30.228Z"}, "descriptions": [{"lang": "en", "value": "Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only."}], "source": {"advisory": "GHSA-mpww-rq79-8r2c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T17:22:42.830229Z", "id": "CVE-2026-41430", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:17:49.311Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41430", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T17:22:42.830229Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T17:24:18.685Z"}}], "cna": {"title": "Press vulnerable to reflected XSS on login redirection", "source": {"advisory": "GHSA-mpww-rq79-8r2c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 1.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "frappe", "product": "press", "versions": [{"status": "affected", "version": "< 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6"}]}], "references": [{"url": "https://github.com/frappe/press/security/advisories/GHSA-mpww-rq79-8r2c", "name": "https://github.com/frappe/press/security/advisories/GHSA-mpww-rq79-8r2c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/frappe/press/commit/16d1b6ca2559f858a1de77bcb03fd7f1b81671c6", "name": "https://github.com/frappe/press/commit/16d1b6ca2559f858a1de77bcb03fd7f1b81671c6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T02:42:30.228Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41430", "state": "PUBLISHED", "dateUpdated": "2026-04-24T18:17:49.311Z", "dateReserved": "2026-04-20T15:32:33.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T02:42:30.228Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frappe:press:*:*:*:*:*:*:*:*", "matchCriteriaId": "B9782269-49C1-45E2-91B2-E6F2AE3DCB8A", "versionEndExcluding": "0.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only."}], "id": "CVE-2026-41430", "lastModified": "2026-04-30T14:51:51.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T04:16:21.000", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/frappe/press/commit/16d1b6ca2559f858a1de77bcb03fd7f1b81671c6"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/frappe/press/security/advisories/GHSA-mpww-rq79-8r2c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,16d1b6ca2559f858a1de77bcb03fd7f1b81671c6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "press", "source": "cna", "vendor": "frappe"}, "product": "press", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-04-28T07:00:29.426649+00:00", "value": {"mitigation_remediation": ["Upgrade Frappe Press to a revision that includes commit 16d1b6ca (or any later release that incorporates the published patch).", "Modify the login redirect handler to whitelist only relative URLs or those that belong to the same host, rejecting external or absolute URLs that could be used for malicious scripting.", "Enforce a strong Content Security Policy that disallows inline scripts and isolates trusted domains, and consider using a web application firewall to block unexpected script injections in the redirect response."], "summary": {"action": "Patch", "impact": "Reflected Cross\u2011Site Scripting via the login redirect parameter"}, "threat_synthesis": {"affected_systems": "The Frappe Press application, which powers Frappe Cloud\u2019s infrastructure, subscription, and SaaS services, is affected. No version detail is provided, so any deployment of Press that includes the vulnerable login redirect code is potentially impacted.", "description_and_impact": "Press\u2019s login page accepts a redirect parameter that is reflected back into the response without proper sanitization, enabling attackers to inject JavaScript. If a victim clicks a malicious link containing a crafted redirect, the injected script runs in the user\u2019s browser, potentially allowing cookie theft, defacement, or phishing attacks. The CVSS score of 1.3 indicates a low overall severity, but the vulnerability could be abused if users are tricked into following a malicious redirect.", "risk_and_exploitability": "The CVSS score of 1.3 and an EPSS below 1% show that the likelihood of exploitation is very low at present, and the issue is not listed in CISA\u2019s KEV catalog. The attack vector is inferred to be a user clicking a crafted URL that triggers the vulnerable redirect. While the exploit is possible, it requires social engineering or phishing techniques to lure a user into executing the malicious script."}}}}, "created": "2026-04-27T23:00:12.518387+00:00", "updated": "2026-04-28T07:15:19.365065+00:00", "vendors": ["frappe", "frappe$PRODUCT$press"]}