This vulnerability allows an authenticated attacker to store a specially crafted tag value in the _user_tags field. When a victim opens the list or report view where these tags are displayed, the malicious tag triggers JavaScript execution. This happens because the renderer inserts tag content directly into HTML attributes and element content without properly escaping it, leading to cross-site scripting (XSS).

The vulnerability can lead to cross-site scripting attacks, allowing an attacker to execute arbitrary JavaScript in the context of a victim's browser. This can result in unauthorized actions performed on behalf of the victim, theft of sensitive information such as session tokens, or other malicious activities when the victim views the affected list or report.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens the list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without properly escaping it, allowing attribute injection such as event handlers (e.g., onmouseover) to be executed.

The attack flow involves the attacker submitting a malicious tag via an API endpoint, which is then stored and later rendered unsafely in the UI, triggering the JavaScript execution when viewed.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of the victim's browser when they view the affected list or report pages. This can result in unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim.

Since the vulnerability requires authentication, an attacker must have valid credentials, but once exploited, it can affect any authenticated user who views the malicious tag.

The vulnerability has a medium severity score (CVSS 4.6), indicating a moderate risk that could impact the confidentiality and integrity of user data and the application.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Since the attack involves submitting crafted tags via the API endpoint, monitoring or querying the tags stored in the system for suspicious content is a practical approach.

One way to detect exploitation attempts is to query the _user_tags field for tags containing suspicious patterns such as event handlers (e.g., onmouseover) or JavaScript code.

• Use API or database queries to list tags stored in the _user_tags field and look for suspicious strings like: xss" onmouseover="alert(7171)" z="
• Monitor HTTP POST requests to the API endpoint `frappe.desk.doctype.tag.tag.add_tag` for unusual or crafted tag values.
• Example command to search for suspicious tags in the database (assuming SQL access): `SELECT _user_tags FROM <tags_table> WHERE _user_tags LIKE '%onmouseover=%' OR _user_tags LIKE '%<script>%'`

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, it is recommended to prevent users from adding or viewing tags that could trigger the vulnerability.

• Disable or restrict access to the tag rendering functionality in the UI to prevent execution of malicious scripts.
• Restrict or monitor authenticated users who can add tags via the API endpoint to reduce the risk of malicious tag injection.
• Consider applying input validation or sanitization on tag values if possible, to prevent injection of JavaScript code.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0.

If upgrading is not possible, disable the tag rendering features that use the vulnerable Tag Pill Renderer component to prevent execution of malicious scripts.

Since no patch is currently available, restricting authenticated user permissions to prevent untrusted users from adding tags can reduce risk.

Monitoring and filtering inputs to the tag API endpoint to block suspicious tag values can also help mitigate exploitation.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens a list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without proper escaping, allowing attribute injection such as event handlers (e.g., onmouseover) to be executed.

The attack flow involves the attacker submitting a malicious tag via an API endpoint, which is stored persistently and then rendered unsafely in the UI, leading to JavaScript execution in the victim's browser.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of a victim user's browser when they view the affected list or report pages. This can result in unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim user.

Since the vulnerability requires authentication, an attacker must have valid credentials, but once exploited, it can affect any authenticated user who views the malicious tag.

The vulnerability has a medium severity score (CVSS 4.6), indicating a moderate risk that should be addressed to prevent potential exploitation.

This vulnerability can be detected by checking if the system is running Frappe Framework version 16.10.0, which is known to be affected.

Additionally, detection can involve inspecting the _user_tags field for any suspicious or crafted tag values that could contain malicious JavaScript payloads.

A practical approach to detect exploitation attempts is to monitor API calls to the endpoint `frappe.desk.doctype.tag.tag.add_tag` for unusual or suspicious tag values.

For example, you can use network monitoring tools or web server logs to look for POST requests containing suspicious payloads such as tags with embedded event handlers like `onmouseover`.

Specific commands depend on your environment, but a sample curl command to test the vulnerability by submitting a crafted tag could be:

• curl -X POST -H "Content-Type: application/json" -d '{"tag": "xss\" onmouseover=\"alert(7171)\" z=\""}' https://your-frappe-instance/api/method/frappe.desk.doctype.tag.tag.add_tag

Monitoring the UI for execution of JavaScript when hovering over tags can also help confirm the presence of the vulnerability.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens the list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without proper escaping, allowing attribute injection such as event handlers (e.g., onmouseover) to be executed.

The attack flow involves the attacker submitting a malicious tag via an API endpoint, which is then stored and later rendered unsafely in the UI, triggering the JavaScript execution when viewed.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of a victim's browser when they view the affected list or report pages. This can be exploited to perform actions such as stealing session tokens, performing actions on behalf of the user, or delivering further attacks through the victim's browser.

Since the vulnerability requires authentication, an attacker must have valid credentials, but once exploited, it can compromise the security and integrity of the affected user's session.

The vulnerability has a medium severity score (CVSS 4.6), indicating a moderate risk that should be addressed to prevent potential exploitation.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Since the attack involves submitting crafted tags via the API endpoint, monitoring or querying the tags stored in the system can help identify exploitation attempts.

One approach is to query the _user_tags field for suspicious tag values that include HTML attribute injections or JavaScript event handlers such as onmouseover.

For example, if you have access to the database or API, you could run commands or queries to list tags containing suspicious patterns like "onmouseover" or quotes that could break HTML attributes.

• Use an API call or database query to retrieve tags from the _user_tags field and search for suspicious strings, e.g., tags containing '" onmouseover=' or other event handlers.
• Monitor HTTP POST requests to the endpoint `frappe.desk.doctype.tag.tag.add_tag` for unusual or crafted tag values.
• Inspect the rendered list or report views in the UI for tags that trigger JavaScript alerts or unexpected behavior when hovered or interacted with.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, preventing the rendering of user-supplied tags or restricting tag creation to trusted users can reduce the risk of exploitation.

• Disable or restrict the use of the _user_tags feature or tag rendering in the list/report views until a fix is released.
• Limit tag creation permissions to highly trusted authenticated users to reduce the chance of malicious tag injection.
• Monitor and audit tag values regularly for suspicious content.
• Educate users to be cautious when interacting with tags in the UI, especially if unexpected behavior occurs.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens a list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without proper escaping, allowing attribute injection such as event handlers (e.g., onmouseover) to be executed.

The attack flow involves the attacker submitting a malicious tag via an API endpoint, which is then stored and later rendered unsafely in the UI, triggering the JavaScript execution when viewed.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of a victim's browser when they view the affected list or report pages. This can result in unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim user.

Since the attacker must be authenticated to inject the malicious tag, the risk is somewhat limited to users with access, but the impact can still be significant within that scope.

The vulnerability has a medium severity score (CVSS v4.0 base score 4.6), indicating a moderate risk that should be addressed.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Since the attack involves storing crafted tags via the API endpoint, monitoring or querying this field for suspicious content is key.

A practical approach is to query the database or use API calls to list tags and inspect for suspicious patterns such as tags containing event handlers like onmouseover or script injections.

For example, if you have access to the Frappe backend or database, you could run a query to find tags containing suspicious substrings:

• SQL: SELECT * FROM `tabUserTag` WHERE `_user_tags` LIKE '%onmouseover=%' OR `_user_tags` LIKE '%<script>%';

Alternatively, you can use curl or similar tools to check if the API endpoint `frappe.desk.doctype.tag.tag.add_tag` has been used to add suspicious tags by reviewing logs or replaying requests.

• Example curl command to test adding a malicious tag (for detection/testing purposes only):
• curl -X POST -H "Content-Type: application/json" -d '{"tag": "xss\" onmouseover=\"alert(7171)\" z=\""}' https://your-frappe-instance/api/method/frappe.desk.doctype.tag.tag.add_tag

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, it is recommended to:

• Prevent users from adding or modifying tags that are rendered in the UI.
• Disable or restrict access to the list/report views where tags are rendered.
• Monitor and sanitize any input that could be stored in the _user_tags field to avoid injection of malicious scripts.

Additionally, consider applying strict Content Security Policy (CSP) headers to limit the impact of any injected scripts.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens a list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without proper escaping, allowing attribute injection such as event handlers (e.g., onmouseover) to be executed.

The attack flow involves the attacker submitting a malicious tag via an API endpoint, which is then stored and later rendered unsafely in the user interface, triggering the JavaScript execution when viewed.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of a victim's browser when they view the affected list or report pages. This can result in unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim.

Since the vulnerability requires authentication, an attacker must have valid credentials to inject the malicious tag, but any authenticated user viewing the affected UI can be impacted.

The vulnerability has a medium severity score (CVSS 4.6), indicating a moderate risk that could be exploited to compromise user interactions and data confidentiality within the application.

This vulnerability can be detected by checking if the system is running Frappe Framework version 16.10.0, which is known to be affected.

Additionally, detection can involve inspecting the _user_tags field for any suspicious or crafted tag values that include JavaScript event handlers or code injections.

A practical approach is to query the API endpoint used to add tags (`frappe.desk.doctype.tag.tag.add_tag`) and review stored tags for malicious content.

• Use API calls or database queries to extract the contents of the _user_tags field and look for tags containing suspicious strings such as event handlers (e.g., onmouseover).
• Example command to check tags in the database (assuming access to the database): `SELECT _user_tags FROM tabUser WHERE _user_tags LIKE '%onmouseover=%';`
• Monitor HTTP requests to the tag adding endpoint for suspicious payloads, for example by capturing POST requests to `frappe.desk.doctype.tag.tag.add_tag`.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0.

Since no patch is currently available, it is recommended to disable the tag rendering features that use the vulnerable Tag Pill Renderer component.

Restrict access to authenticated users who can add tags, and monitor or sanitize inputs to prevent injection of malicious tag values.

Consider removing or sanitizing existing tags stored in the _user_tags field to eliminate any malicious payloads.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens a list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without properly escaping it. This allows the attacker to inject HTML attribute event handlers like onmouseover, leading to JavaScript execution in the victim's browser.

• The attacker submits a malicious tag via the API endpoint.
• The tag is stored persistently in the _user_tags field.
• When the victim views the list/report page, the malicious tag is rendered without escaping, triggering the injected JavaScript.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of a victim's browser when they view certain pages in the Frappe Framework application. This can result in unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim user.

Since the attacker must be authenticated to inject the malicious tag, the risk is somewhat limited to users with access, but the impact can still be significant within that scope.

The vulnerability has a medium severity CVSS score of 4.6, indicating a moderate risk level.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field within the Frappe Framework version 16.10.0. An attacker injects crafted tags via the API endpoint `frappe.desk.doctype.tag.tag.add_tag`.

To detect exploitation attempts or presence of malicious tags, you can query the database or use API calls to list tags and inspect for suspicious content such as tags containing JavaScript event handlers (e.g., onmouseover).

• Use a database query to find tags with suspicious patterns, for example: `SELECT _user_tags FROM <relevant_table> WHERE _user_tags LIKE '%onmouseover=%' OR _user_tags LIKE '%<script>%'`.
• Use API calls to list tags and manually or programmatically inspect for injected JavaScript or unusual attribute injections.

Monitoring HTTP POST requests to the endpoint `frappe.desk.doctype.tag.tag.add_tag` for suspicious payloads containing JavaScript event handlers or HTML attribute injections can also help detect exploitation attempts.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, preventing the rendering of tags that interpolate unescaped content into HTML attributes and element content is critical to avoid triggering the stored DOM-based XSS.

Additionally, restrict access to the API endpoint `frappe.desk.doctype.tag.tag.add_tag` to trusted users only, as exploitation requires authentication.

Monitor and remove any suspicious or malicious tags found in the _user_tags field to reduce risk.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens a list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without proper escaping, allowing attribute injection such as event handlers (e.g., onmouseover) to be executed.

The attack flow involves the attacker submitting a malicious tag via an API endpoint, which is then stored and later rendered in the UI, triggering the JavaScript execution when viewed.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of the victim's browser when they view the affected list or report pages. This can result in unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim.

Since the vulnerability requires authentication, an attacker must have valid credentials but can then exploit it to target other authenticated users.

The vulnerability has a medium severity score (CVSS v4.0 base score 4.6), indicating a moderate risk that should be addressed to prevent potential exploitation.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Since the attack involves storing crafted tags via the API endpoint, monitoring or querying the tags stored in the system can help identify suspicious entries.

A practical approach is to query the _user_tags field for tags containing suspicious patterns such as event handlers (e.g., onmouseover) or quotes that could lead to attribute injection.

• Use API or database queries to list tags stored in _user_tags and look for suspicious strings like: xss" onmouseover="alert(7171)" z="
• Example command to query tags (assuming direct database access):
• SELECT _user_tags FROM <relevant_table> WHERE _user_tags LIKE '%onmouseover=%' OR _user_tags LIKE '%<script>%' OR _user_tags LIKE '%"%';

Additionally, monitoring HTTP POST requests to the API endpoint `frappe.desk.doctype.tag.tag.add_tag` for suspicious payloads can help detect exploitation attempts.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, preventing the rendering of tags that interpolate unescaped content into HTML attributes and element content is critical.

• Disable or restrict access to the tag rendering functionality in the UI to prevent execution of malicious scripts.
• Restrict or monitor authenticated users who can add tags via the API endpoint to reduce the risk of malicious tag injection.
• Implement input validation or sanitization on tag values if possible, to prevent injection of JavaScript code.

Monitoring for suspicious tags and removing any detected malicious entries can also help reduce risk until a fix is released.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field.

When a victim opens a list or report view where these tags are rendered, the injected script executes because the vulnerable renderer inserts tag content directly into HTML attributes and element content without proper escaping.

This allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session.

This vulnerability can lead to the execution of malicious JavaScript code in the browser of any user who views the affected list or report page.

• It can be used to steal session tokens or sensitive information accessible in the user's browser.
• It may allow attackers to perform actions on behalf of the victim user within the application.
• The attack requires the attacker to be authenticated but can be triggered remotely.

Overall, it poses a medium severity risk with a CVSS v4.0 base score of 4.6.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Since the attack involves submitting crafted tags via the API endpoint, monitoring or querying this field for suspicious content is key.

A practical approach is to query the _user_tags field in your Frappe database or use API calls to list tags and inspect them for suspicious patterns such as embedded event handlers (e.g., onmouseover) or script fragments.

For example, you can use a command or script to search for tags containing suspicious substrings like "onmouseover" or quotes that could indicate injection attempts.

• Use a database query to find tags with suspicious content, e.g., in SQL: SELECT * FROM `tabUser` WHERE `_user_tags` LIKE '%onmouseover%' OR `_user_tags` LIKE '%"%';
• Use API calls to retrieve tags and filter for suspicious patterns.
• Monitor network traffic for POST requests to the endpoint `frappe.desk.doctype.tag.tag.add_tag` containing suspicious tag values.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, preventing the rendering of user-supplied tags or sanitizing tag content before rendering is recommended to avoid JavaScript execution.

Additionally, restrict access to the API endpoint that allows adding tags to authenticated and trusted users only, and monitor for suspicious tag submissions.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field.

When a victim opens a list or report view where these tags are rendered, the injected script executes because the tag content is inserted directly into HTML attributes and element content without proper escaping.

The attack flow involves the attacker submitting a malicious tag via an API endpoint, which is then stored and later rendered unsafely in the UI, allowing JavaScript execution such as event handlers like onmouseover.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of the victim's browser when they view the affected list or report pages.

Such script execution can be used to steal sensitive information, hijack user sessions, perform actions on behalf of the user, or deliver further attacks within the application.

Because the vulnerability requires authentication, an attacker must have valid credentials, but once exploited, it can affect any authenticated user viewing the malicious tag.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Since the attack involves storing crafted tags via the API endpoint, monitoring or querying the tags stored in the system can help identify exploitation attempts.

A practical approach is to query the _user_tags field for suspicious tag values containing JavaScript event handlers or unusual characters such as quotes and angle brackets.

• Use API or database queries to list tags stored in _user_tags and look for suspicious patterns like: xss" onmouseover="alert(7171)" z="
• Example command to query tags (assuming direct database access): SELECT _user_tags FROM <relevant_table> WHERE _user_tags LIKE '%onmouseover=%' OR _user_tags LIKE '%<script>%';
• Monitor HTTP POST requests to the API endpoint frappe.desk.doctype.tag.tag.add_tag for suspicious payloads containing JavaScript code.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, preventing the rendering of tags that interpolate unescaped content into HTML attributes and element content is critical to avoid exploitation.

• Disable or restrict access to the tag rendering functionality in the UI until a fix is released.
• Restrict or monitor authenticated users who can add tags via the API to reduce the risk of malicious tag injection.
• Implement input validation or sanitization on tag values if possible to prevent injection of malicious scripts.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens a list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without properly escaping it. This allows the attacker to inject HTML attribute event handlers like onmouseover, leading to JavaScript execution in the victim's browser.

• The attacker submits a malicious tag via the API endpoint.
• The tag is stored persistently in the _user_tags field.
• When the victim views the list/report page, the malicious tag is rendered without escaping.
• This causes the injected JavaScript to execute in the victim's browser.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of the victim's browser session when they view the affected list or report pages. This can result in unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim.

Because the attacker must be authenticated to inject the malicious tag, the risk is somewhat limited to users with access, but the impact on those users can be significant.

The vulnerability has a medium severity CVSS score of 4.6, indicating a moderate risk level.

No patch is currently available, so mitigation involves avoiding use of the vulnerable version or disabling tag rendering features.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Since the attack involves storing crafted tags via the API endpoint, you can inspect the tags stored in the system for suspicious content.

One approach is to query the database or use API calls to list tags and look for tags containing suspicious patterns such as event handlers (e.g., onmouseover) or script injections.

For example, if you have access to the system's database, you might run a query to find tags with suspicious content like:

• SELECT * FROM `tabUser` WHERE `_user_tags` LIKE '%onmouseover=%' OR `_user_tags` LIKE '%<script%' OR `_user_tags` LIKE '%javascript:%';

Alternatively, you can monitor HTTP requests to the API endpoint `frappe.desk.doctype.tag.tag.add_tag` for suspicious POST requests containing crafted tag values.

Since the vulnerability requires authentication, reviewing authenticated user activity logs for unusual tag additions may also help detect exploitation attempts.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, you should consider the following actions:

• Disable or restrict access to the tag rendering functionality in the UI to prevent execution of malicious scripts.
• Limit or monitor authenticated user permissions to reduce the risk of attackers injecting malicious tags.
• Implement input validation or sanitization on tag values if possible, to prevent injection of JavaScript code.
• Monitor logs and user activity for suspicious tag creation or modification.

Plan to upgrade to a patched version once it becomes available.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens a list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without proper escaping, allowing the attacker to inject code that runs in the victim's browser.

The attack flow involves the attacker submitting a malicious tag via an API endpoint, which is then stored and later rendered unsafely in the UI, enabling JavaScript execution such as event handlers like onmouseover.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of a victim's browser when they view the affected list or report pages. This can result in unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim.

Since the vulnerability requires authentication, an attacker must have valid credentials, but once exploited, it can compromise the security of users interacting with the vulnerable interface.

The vulnerability has a medium severity score (CVSS 4.6), indicating a moderate risk that should be addressed to prevent potential exploitation.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field within the Frappe Framework version 16.10.0. An attacker injects crafted tags via the API endpoint `frappe.desk.doctype.tag.tag.add_tag`.

To detect exploitation attempts or presence of malicious tags, you can query the database or use API calls to list tags and inspect for suspicious content such as tags containing JavaScript event handlers (e.g., onmouseover).

• Use a database query to search for suspicious tags in the _user_tags field, for example: `SELECT _user_tags FROM <relevant_table> WHERE _user_tags LIKE '%onmouseover=%' OR _user_tags LIKE '%<script>%'`.
• Monitor API requests to the endpoint `frappe.desk.doctype.tag.tag.add_tag` for unusual or crafted tag values.
• Check the UI for unexpected JavaScript alerts or behavior when hovering over tags in list or report views.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, it is recommended to restrict access to authenticated users who can add tags, monitor and sanitize tag inputs, and educate users to avoid interacting with suspicious tags.

• Disable or restrict the feature that renders tags in list or report views until a fix is released.
• Limit permissions to prevent unauthorized users from adding or modifying tags.
• Monitor logs and API usage for suspicious tag creation attempts.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens the list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without proper escaping, allowing attribute injection such as event handlers (e.g., onmouseover) to be executed.

The attack flow involves the attacker submitting a malicious tag via an API endpoint, which is then stored and later rendered unsafely in the UI, triggering the JavaScript execution when viewed.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of a victim's browser when they view the affected list or report pages. This can result in unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim user.

Since the vulnerability requires authentication, an attacker must have valid credentials, but once exploited, it can compromise the integrity and confidentiality of user sessions and data.

The vulnerability has a medium severity score (CVSS 4.6), indicating a moderate risk that should be addressed to prevent potential exploitation.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Since the attack involves submitting crafted tags via the API endpoint, monitoring or querying this field for suspicious content is key.

A practical approach is to query the _user_tags field in your Frappe database or use API calls to list tags and inspect them for suspicious patterns such as embedded event handlers (e.g., onmouseover) or JavaScript code.

• Use a database query to find tags containing suspicious strings, for example: SELECT * FROM `tabUser` WHERE FIND_IN_SET('xss" onmouseover="alert(7171)" z="', _user_tags);
• Use the API endpoint `frappe.desk.doctype.tag.tag.add_tag` to list or audit tags and check for injected scripts.

Additionally, monitoring HTTP requests to the tag addition API for suspicious payloads or unusual tag values can help detect exploitation attempts.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, it is recommended to restrict access to the affected functionality and prevent users from adding or viewing tags that could contain malicious content.

• Disable or restrict the use of the _user_tags field or the tag rendering UI components until a fix is released.
• Limit authenticated user permissions to prevent unauthorized tag creation or modification.

Monitoring and auditing tag values for suspicious content can also help reduce risk while waiting for an official patch.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens the list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without proper escaping, allowing attribute injection such as event handlers (e.g., onmouseover) to be executed.

• The attacker submits a malicious tag via the API endpoint.
• The tag is stored persistently in the _user_tags field.
• When the list or report view renders the tags, the malicious script is injected into the DOM and executed.

This vulnerability allows an authenticated attacker to execute arbitrary JavaScript code in the context of a victim's browser when they view the affected list or report pages. This can lead to unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim.

Since the attack requires authentication and user interaction (viewing the page and triggering the event), the risk is medium severity with a CVSS v4.0 base score of 4.6.

Exploitation can result in compromised user accounts, exposure of sensitive information, or manipulation of the application's behavior.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Since the attack involves storing crafted tags via the API endpoint, monitoring or querying this field for suspicious content is key.

A practical approach is to query the database or use API calls to list tags and inspect them for suspicious patterns such as embedded event handlers (e.g., onmouseover) or script fragments.

For example, you can use a command or script to query the _user_tags field for tags containing suspicious substrings like "onmouseover", "alert", or other JavaScript event handlers.

• Use an API call to list tags: POST to `frappe.desk.doctype.tag.tag.add_tag` endpoint and review stored tags.
• Query the database for _user_tags field entries containing suspicious strings, e.g., using SQL: `SELECT _user_tags FROM <tag_table> WHERE _user_tags LIKE '%onmouseover%' OR _user_tags LIKE '%alert%'`.
• Monitor HTTP requests to the tag API endpoint for suspicious tag values being added.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, preventing the rendering of tags that interpolate unescaped content into HTML attributes and element content is critical to stop exploitation.

• Disable or restrict access to the tag rendering functionality in the UI to prevent execution of malicious scripts.
• Restrict or monitor authenticated users who can add tags to reduce the risk of malicious tag injection.
• Avoid upgrading to or using version 16.10.0 until a fix is released.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens a list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without properly escaping it. This allows the attacker to inject HTML attribute event handlers like onmouseover, leading to JavaScript execution in the victim's browser.

The attack flow involves the attacker submitting a malicious tag via an API endpoint, which is then stored and later rendered unsafely in the UI, triggering the script when viewed.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of a victim's browser when they view the affected list or report pages. This can result in unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim.

Since the vulnerability requires authentication, an attacker must have valid credentials, but once exploited, it can affect any authenticated user who views the malicious tag.

The vulnerability has a medium severity score (CVSS 4.6), indicating a moderate risk that can impact the confidentiality and integrity of user sessions and data.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Since the attack involves submitting crafted tags via the API endpoint, monitoring or querying the stored tags for suspicious content is a key detection method.

A practical approach is to query the database or use API calls to list tags stored in the _user_tags field and look for tags containing suspicious patterns such as event handlers (e.g., onmouseover) or script injections.

For example, if you have direct database access, you could run a query to find tags containing suspicious substrings like 'onmouseover' or quotes that could indicate injection attempts.

• SQL query example: SELECT * FROM <tags_table> WHERE _user_tags LIKE '%onmouseover%' OR _user_tags LIKE '%"%';

Alternatively, you can monitor HTTP POST requests to the API endpoint `frappe.desk.doctype.tag.tag.add_tag` for suspicious payloads containing JavaScript code.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, preventing the rendering of tags that interpolate unescaped content into HTML attributes and element content is critical to stop exploitation.

Additionally, restrict or monitor authenticated users who can add tags to reduce the risk of malicious tag injection.

This vulnerability allows an authenticated attacker to store a specially crafted tag value in the _user_tags field. When a victim opens the list or report view where these tags are displayed, the malicious tag triggers JavaScript execution. This happens because the renderer inserts tag content directly into HTML attributes and element content without properly escaping it, leading to cross-site scripting (XSS).

The vulnerability can lead to cross-site scripting attacks, allowing attackers to execute arbitrary JavaScript in the context of the victim's browser. This can result in unauthorized actions performed on behalf of the victim, theft of sensitive information such as session tokens, or other malicious activities when the victim views the affected list or report.

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Specifically, you can look for tags that include suspicious attribute injections such as event handlers (e.g., onmouseover) within the tag values.

One way to detect exploitation attempts is to monitor API calls to the endpoint frappe.desk.doctype.tag.tag.add_tag for suspicious payloads containing JavaScript or HTML attribute injections.

Example commands to detect suspicious tags in the database or logs might include:

• Query the database for tags containing suspicious patterns, e.g., using SQL: SELECT * FROM `tabUser` WHERE _user_tags LIKE '%onmouseover=%' OR _user_tags LIKE '%<script>%';
• Search application logs or API request logs for POST requests to frappe.desk.doctype.tag.tag.add_tag containing suspicious payloads with JavaScript event handlers.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, it is recommended to restrict access to authenticated users who can add tags, monitor and sanitize tag inputs, and consider disabling or limiting the display of user tags in list or report views until a fix is released.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field.

When a victim opens the list or report view where these tags are rendered, the injected script executes because the vulnerable renderer inserts tag content directly into HTML attributes and element content without proper escaping.

This allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session.

This vulnerability can lead to the execution of malicious JavaScript code in the browser of any user who views the affected list or report page.

• It can be used to perform actions on behalf of the victim, steal sensitive information, or manipulate the user interface.
• Since the attacker must be authenticated, it requires some level of access but can still be exploited to escalate impact within the system.
• The vulnerability has a medium severity score (CVSS 4.6), indicating a moderate risk.

This vulnerability can be detected by checking if your Frappe Framework installation is version 16.10.0, which is known to be affected.

Additionally, you can look for malicious tag values stored in the _user_tags field by querying the system or database for suspicious tags containing JavaScript event handlers or unusual attribute injections.

A practical approach is to monitor API calls to the endpoint frappe.desk.doctype.tag.tag.add_tag for suspicious POST requests containing crafted tag values.

• Use database queries or API inspection to find tags with suspicious content, for example, searching for tags containing strings like 'onmouseover' or other event handlers.
• Example command to search for suspicious tags in the database (assuming SQL): SELECT * FROM tags WHERE _user_tags LIKE '%onmouseover%';
• Monitor network traffic for POST requests to the add_tag API endpoint with suspicious payloads.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0.

If upgrading is not possible, disable the tag rendering features that use the vulnerable Tag Pill Renderer component to prevent execution of malicious scripts.

Monitor and remove any suspicious or malicious tags stored in the _user_tags field to reduce risk.

Since no patch is currently available, these mitigations are critical to reduce exposure until a fix is released.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens a list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without proper escaping, allowing attribute injection such as event handlers (e.g., onmouseover) to be executed.

• The attacker submits a malicious tag via the API endpoint.
• The malicious tag is stored persistently in the _user_tags field.
• When the victim views the list/report page, the tag is rendered into HTML without escaping, triggering the malicious JavaScript.

This vulnerability allows an authenticated attacker to execute arbitrary JavaScript code in the context of a victim's browser when they view certain pages in the Frappe Framework UI.

Potential impacts include theft of sensitive information, session hijacking, or performing actions on behalf of the victim user within the application.

Since the attack requires authentication and user interaction (viewing the affected page), the risk is medium severity with a CVSS score of 4.6.

No patch is currently available, so mitigation involves avoiding use of the vulnerable version or disabling tag rendering features.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field within the Frappe Framework version 16.10.0. An attacker injects crafted tags via the API endpoint `frappe.desk.doctype.tag.tag.add_tag`.

To detect exploitation attempts or presence of malicious tags, you can query the database or use API calls to list tags and inspect for suspicious content such as tags containing JavaScript event handlers (e.g., onmouseover).

• Use a database query to search for suspicious tags in the _user_tags field, for example: `SELECT _user_tags FROM <relevant_table> WHERE _user_tags LIKE '%onmouseover=%' OR _user_tags LIKE '%<script>%'`.
• Use the Frappe API to list tags and manually inspect or script detection of tags containing suspicious attributes or JavaScript code.
• Monitor HTTP POST requests to the endpoint `frappe.desk.doctype.tag.tag.add_tag` for suspicious payloads containing JavaScript event handlers or injection patterns.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, it is recommended to restrict access to the affected functionality and prevent attackers from injecting malicious tags by limiting authenticated user permissions.

• Disable or restrict the use of the tag rendering feature in the UI to prevent execution of injected scripts.
• Monitor and audit user inputs to the tag API endpoint to detect and block malicious tag submissions.
• Consider upgrading to a fixed version once available or applying custom input sanitization and escaping in the tag rendering logic.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field.

When a victim opens a list or report view where these tags are rendered, the injected script executes because the tag renderer inserts tag content directly into HTML attributes and element content without proper escaping.

This allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to unauthorized actions or data exposure.

This vulnerability can impact you by allowing an authenticated attacker to execute arbitrary JavaScript code in your browser when viewing certain pages in the Frappe Framework application.

Such JavaScript execution can lead to unauthorized actions, data theft, session hijacking, or other malicious activities within the context of your user session.

Since the vulnerability requires authentication, it mainly threatens users who have access to the system, but the impact can still be significant depending on user privileges.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain unescaped JavaScript code. Specifically, an attacker submits a crafted tag via the API endpoint `frappe.desk.doctype.tag.tag.add_tag`.

To detect exploitation attempts or presence of malicious tags, you can query the database or use API calls to inspect the _user_tags field for suspicious content such as tags containing event handlers like `onmouseover` or JavaScript code.

• Example command to query tags in the database (assuming SQL access): `SELECT _user_tags FROM <relevant_table> WHERE _user_tags LIKE '%onmouseover=%' OR _user_tags LIKE '%<script>%'`
• Use API calls to list tags and inspect their content for suspicious patterns.

Monitoring HTTP POST requests to the endpoint `frappe.desk.doctype.tag.tag.add_tag` for suspicious payloads containing JavaScript or event handlers can also help detect attempts to exploit this vulnerability.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, preventing the rendering of tags that interpolate unescaped content into HTML attributes and element content is critical.

• Disable or restrict access to the tag rendering functionality in the UI to prevent execution of injected scripts.
• Limit authenticated user permissions to reduce the risk of attackers submitting malicious tags.

Monitor and audit tag values regularly to detect and remove any malicious entries.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens the list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without proper escaping, allowing attribute injection such as event handlers (e.g., onmouseover) to be executed.

• The attacker submits a malicious tag via the API endpoint.
• The tag is stored persistently in the _user_tags field.
• When the victim views the list/report page, the malicious tag is rendered and the JavaScript executes.

This vulnerability allows an authenticated attacker to execute arbitrary JavaScript code in the context of a victim's browser when they view certain pages in the Frappe Framework UI.

Potential impacts include theft of user session data, performing actions on behalf of the victim, or other malicious activities that can be triggered via the injected script.

Since the attack requires authentication and user interaction (viewing the affected page), the risk is medium severity with a CVSS score of 4.6.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Since the attack involves storing crafted tags via the API endpoint, monitoring or querying the _user_tags field for suspicious or unusual tag content is a key detection method.

A practical approach is to query the database or use API calls to list tags and inspect them for suspicious patterns such as embedded event handlers (e.g., onmouseover) or script fragments.

Example commands might include:

• Using a database query to find tags containing suspicious strings, e.g., in SQL: SELECT * FROM `tabUser` WHERE `_user_tags` LIKE '%onmouseover=%' OR `_user_tags` LIKE '%<script>%';
• Using curl to test the API endpoint for tag injection: curl -X POST -H "Content-Type: application/json" -d '{"tag": "xss\" onmouseover=\"alert(7171)\" z=\""}' https://your-frappe-instance/api/method/frappe.desk.doctype.tag.tag.add_tag

Note that detection requires authentication since the vulnerability is exploitable only by authenticated users.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, it is recommended to:

• Prevent users from adding or modifying tags that are rendered in the UI.
• Disable or restrict access to the list/report views where tags are rendered.
• Monitor and sanitize any user input related to tags to avoid injection of malicious content.

These steps reduce the risk of stored DOM-based XSS exploitation until an official fix is released.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript by storing a specially crafted tag value in the _user_tags field.

When a victim opens the list or report view where these tags are rendered, the injected script executes because the tag renderer inserts tag content directly into HTML attributes and element content without proper escaping.

This allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to unauthorized actions or data exposure.

This vulnerability can lead to the execution of malicious JavaScript code in the browser of any authenticated user who views the affected list or report pages.

Potential impacts include unauthorized actions performed on behalf of the user, theft of sensitive information such as session tokens, or manipulation of the user interface.

Since the attack requires authentication, it primarily affects users with access to the system, but it can still lead to significant security risks within the affected environment.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field, which are rendered without proper escaping in the Frappe Framework version 16.10.0.

One way to detect exploitation attempts is to look for suspicious tag values containing JavaScript event handlers or code injections, such as tags with attributes like onmouseover.

A practical approach is to query the database or use API calls to inspect the _user_tags field for suspicious content.

• Use an API call to list tags and check for suspicious entries, for example, by querying the endpoint `frappe.desk.doctype.tag.tag.add_tag` or inspecting stored tags.
• Run a database query to find tags containing suspicious JavaScript code, for example: `SELECT * FROM tabUser WHERE _user_tags LIKE '%onmouseover=%' OR _user_tags LIKE '%<script%'`.
• Monitor HTTP POST requests to the API endpoint `frappe.desk.doctype.tag.tag.add_tag` for suspicious payloads containing JavaScript code.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, it is recommended to restrict access to authenticated users who can add tags and monitor for suspicious tag values.

Additionally, consider sanitizing or removing suspicious tags from the _user_tags field to prevent JavaScript execution.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens a list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without proper escaping, allowing attribute injection such as event handlers like onmouseover.

The attack flow involves the attacker submitting a malicious tag via an API endpoint, which is stored persistently and then rendered unsafely in the UI, triggering JavaScript execution when viewed.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of a victim's browser when they view the affected list or report pages. This can result in unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim.

Since the vulnerability requires authentication, an attacker must have valid credentials but can then exploit the stored XSS to affect other authenticated users.

The vulnerability has a medium severity CVSS score of 4.6, indicating a moderate risk that could impact the confidentiality and integrity of user data and application behavior.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Since the attack involves submitting crafted tags via the API endpoint, monitoring or querying this field for suspicious content is key.

A practical approach is to query the _user_tags field in your Frappe Framework database or use API calls to list tags and inspect them for suspicious patterns such as embedded event handlers (e.g., onmouseover) or script fragments.

For example, you could run a database query to find tags containing suspicious substrings like 'onmouseover' or quotes that could indicate injection attempts.

• SQL example: SELECT * FROM `tabUser` WHERE `_user_tags` LIKE '%onmouseover%' OR `_user_tags` LIKE '%"%';
• API example: Use the API endpoint `frappe.desk.doctype.tag.tag.add_tag` to list or audit tags and check for malicious content.

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, preventing the rendering of tags that can execute injected JavaScript is critical to stop exploitation.

• Disable or restrict access to the tag rendering functionality in the UI to prevent execution of malicious scripts.
• Audit and remove any suspicious or malicious tags stored in the _user_tags field.
• Limit user permissions to reduce the risk of authenticated attackers injecting malicious tags.
• Monitor for suspicious activity related to tag creation or modification.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens a list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without proper escaping, allowing attribute injection such as event handlers (e.g., onmouseover) to be executed.

The attack flow involves the attacker submitting a malicious tag via an API endpoint, which is then stored and later rendered unsafely in the UI, triggering the JavaScript execution when viewed.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of a victim's browser when they view the affected list or report pages. This can result in unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim.

Since the vulnerability requires authentication, an attacker must have valid credentials but can then exploit the vulnerability to target other authenticated users.

The vulnerability has a medium severity score (CVSS v4.0 base score 4.6), indicating a moderate risk that could impact the confidentiality and integrity of user data and application behavior.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that contain injected JavaScript code. Since the attack involves submitting crafted tags via the API endpoint, monitoring or querying this field for suspicious content is key.

A practical approach is to query the _user_tags field in your Frappe database or use API calls to list tags and inspect them for suspicious patterns such as embedded event handlers (e.g., onmouseover) or script fragments.

• Use a database query to find tags containing suspicious characters or event handlers, for example (SQL syntax may vary): SELECT * FROM `tabUser` WHERE _user_tags LIKE '%onmouseover=%' OR _user_tags LIKE '%<script%' OR _user_tags LIKE '%"%'
• Use curl or similar tools to query the API endpoint and inspect tag values: curl -X GET 'https://your-frappe-instance/api/resource/Tag' -H 'Authorization: token <your_token>'
• Look for tags with suspicious payloads such as: xss" onmouseover="alert(7171)" z="

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, preventing the rendering of user tags or restricting authenticated users from adding tags can reduce the attack surface.

• Disable or restrict the use of the _user_tags field or tag rendering in the UI until a fix is released.
• Limit authenticated user permissions to prevent unauthorized tag creation.
• Monitor and remove any suspicious or malicious tags found in the system.

CVE-2026-3673 is a stored DOM-based cross-site scripting (XSS) vulnerability in the Frappe Framework version 16.10.0. An authenticated attacker can inject malicious JavaScript code by storing a specially crafted tag value in the _user_tags field. When a victim opens the list or report view where these tags are rendered, the injected script executes.

The root cause is that the Tag Pill Renderer component inserts tag content directly into HTML attributes and element content without proper escaping, allowing attribute injection such as event handlers (e.g., onmouseover) to be executed.

The attack flow involves the attacker submitting a malicious tag via an API endpoint, which is then stored and later rendered unsafely in the UI, triggering the JavaScript execution when viewed.

This vulnerability can lead to the execution of arbitrary JavaScript code in the context of a victim's browser when they view the affected list or report pages. This can result in unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim.

Since the vulnerability requires authentication, an attacker must have valid credentials, but once exploited, it can compromise the security of users interacting with the affected Frappe Framework instance.

The vulnerability has a medium severity score (CVSS v4.0 base score 4.6), indicating a moderate risk that should be addressed to prevent potential exploitation.

This vulnerability can be detected by checking for the presence of malicious tag values stored in the _user_tags field that include injected JavaScript code. Specifically, you can look for tags containing suspicious attribute injections such as event handlers (e.g., onmouseover) in the tag values.

One way to detect exploitation attempts is to monitor API calls to the endpoint frappe.desk.doctype.tag.tag.add_tag for suspicious payloads containing JavaScript or HTML attribute injections.

Example commands to detect suspicious tags might include querying the database for _user_tags containing suspicious patterns, such as:

• SQL query to find tags with potential XSS payloads: SELECT * FROM `tabUser` WHERE _user_tags LIKE '%onmouseover=%' OR _user_tags LIKE '%<script%' OR _user_tags LIKE '%"%'
• Monitor web server logs or API logs for POST requests to frappe.desk.doctype.tag.tag.add_tag containing suspicious tag values, e.g., using grep: grep -i 'add_tag' /var/log/nginx/access.log | grep -E 'onmouseover|alert|<script'

Immediate mitigation steps include avoiding the use of the vulnerable Frappe Framework version 16.10.0 or disabling the tag rendering features that use the vulnerable Tag Pill Renderer component.

Since no patch is currently available, you should restrict access to authenticated users who can add tags and monitor for suspicious tag values.

Additionally, consider implementing input validation or escaping on tag values before rendering them in the UI to prevent JavaScript execution.