Executive Summary

CVE-2026-25956 is a vulnerability in the Frappe web application framework that affects the user signup process. An attacker can create a malicious signup URL which, when used by a user during signup, can cause an open redirect or a reflected Cross-Site Scripting (XSS) attack depending on the crafted payload.

The issue arises because the redirect URL provided during signup was not properly sanitized before being stored and used, allowing unsafe URLs to be used for redirection after login.

This vulnerability was fixed by introducing a sanitization step for the redirect URL in the signup function, ensuring only safe URLs are accepted and cached.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to redirect users to malicious websites after signup, potentially leading to phishing attacks or other malicious activities.

Additionally, depending on the payload, it can lead to reflected XSS attacks, which can be used to execute malicious scripts in the context of the vulnerable site, potentially compromising user data or session information.

The attack requires no privileges but does require user interaction (the user signing up). The overall impact on confidentiality and integrity is considered low, and there is no impact on availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves a malicious signup URL that can cause an open redirect or reflected XSS during user signup in the Frappe framework. Detection involves monitoring signup URLs and user signup requests for suspicious or crafted redirect parameters.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for HTTP requests to the signup endpoint containing unusual or unexpected redirect_to parameters that might be used for open redirect or XSS attacks.'}, {'type': 'list_item', 'content': 'Use network traffic inspection tools (e.g., Wireshark, tcpdump) to capture HTTP requests to the signup URL and filter for suspicious redirect parameters.'}, {'type': 'list_item', 'content': 'On the server, check logs for signup requests with redirect_to parameters containing external or malformed URLs.'}, {'type': 'list_item', 'content': "Example command to search server logs for suspicious redirect parameters: `grep -i 'redirect_to=' /path/to/frappe/logs/*`"}, {'type': 'list_item', 'content': 'Use web application scanners or custom scripts to test the signup URL with crafted redirect_to parameters to see if the redirect is sanitized or not.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the Frappe framework to version 14.99.14 or 15.94.0 or later, where this vulnerability is fixed.

The fix involves sanitizing the redirect URL during the user signup process to prevent unsafe redirects and reflected XSS.

Until you can upgrade, consider implementing input validation or filtering on the redirect_to parameter in your signup process to block unsafe URLs.

Additionally, monitor user signup activity for suspicious redirect URLs and educate users about the risk of clicking on untrusted signup links.

Useful 0 Not Useful 0