CVE-2026-41430

UNKNOWN 0.0

Press vulnerable to reflected XSS on login redirection

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting redirects to internal URLs only.

CWE	CWE-79
Vendor	frappe
Product	press
Published	Apr 24, 2026

Stay Ahead of the Next One

Get instant alerts for frappe press

Be the first to know when new unknown vulnerabilities affecting frappe press are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

frappe / press

< 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/frappe/press/security/advisories/GHSA-mpww-rq79-8r2c github.com: https://github.com/frappe/press/commit/16d1b6ca2559f858a1de77bcb03fd7f1b81671c6