CVE-2026-41430 LOW

CVE-2026-41430: Press vulnerable to reflected XSS on login redirection

Vendor Frappe
Product press
Weakness CWE-79 · XSS
Published April 24, 2026
Last update April 24, 2026

CVSS base score

1.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

What the vulnerability does

01Description

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only.

Key dates

02Disclosure timeline

April 24, 2026 CVE published
April 24, 2026 Record updated