CVE-2026-25956
Open Redirect and Reflected XSS in Frappe Signup URL
Publication date: 2026-02-10
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | frappe | to 14.99.14 (exc) |
| frappe | frappe | From 15.0.0 (inc) to 15.94.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25956 is a vulnerability in the Frappe web application framework that affects the user signup process. An attacker can create a malicious signup URL which, when used by a user during signup, can cause an open redirect or a reflected Cross-Site Scripting (XSS) attack depending on the crafted payload.
The issue arises because the redirect URL provided during signup was not properly sanitized before being stored and used, allowing unsafe URLs to be used for redirection after login.
This vulnerability was fixed by introducing a sanitization step for the redirect URL in the signup function, ensuring only safe URLs are accepted and cached.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to redirect users to malicious websites after signup, potentially leading to phishing attacks or other malicious activities.
Additionally, depending on the payload, it can lead to reflected XSS attacks, which can be used to execute malicious scripts in the context of the vulnerable site, potentially compromising user data or session information.
The attack requires no privileges but does require user interaction (the user signing up). The overall impact on confidentiality and integrity is considered low, and there is no impact on availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves a malicious signup URL that can cause an open redirect or reflected XSS during user signup in the Frappe framework. Detection involves monitoring signup URLs and user signup requests for suspicious or crafted redirect parameters.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for HTTP requests to the signup endpoint containing unusual or unexpected redirect_to parameters that might be used for open redirect or XSS attacks.'}, {'type': 'list_item', 'content': 'Use network traffic inspection tools (e.g., Wireshark, tcpdump) to capture HTTP requests to the signup URL and filter for suspicious redirect parameters.'}, {'type': 'list_item', 'content': 'On the server, check logs for signup requests with redirect_to parameters containing external or malformed URLs.'}, {'type': 'list_item', 'content': "Example command to search server logs for suspicious redirect parameters: `grep -i 'redirect_to=' /path/to/frappe/logs/*`"}, {'type': 'list_item', 'content': 'Use web application scanners or custom scripts to test the signup URL with crafted redirect_to parameters to see if the redirect is sanitized or not.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Frappe framework to version 14.99.14 or 15.94.0 or later, where this vulnerability is fixed.
The fix involves sanitizing the redirect URL during the user signup process to prevent unsafe redirects and reflected XSS.
Until you can upgrade, consider implementing input validation or filtering on the redirect_to parameter in your signup process to block unsafe URLs.
Additionally, monitor user signup activity for suspicious redirect URLs and educate users about the risk of clicking on untrusted signup links.