CVE-2026-25956 – This vulnerability allows attackers to craft ma... (How to Fix)

Q: What is the severity of CVE-2026-25956?

CVE-2026-25956 has a CVSS score of 6.1 (MEDIUM). This vulnerability allows attackers to craft malicious signup URLs for Frappe sites, which can lead to open redirects or reflected cross-site scripting (XSS) attacks when users sign up. It affects all Frappe framework users running versions before 14.99.14 or 15.94.0. The attacker can potentially steal user credentials or redirect users to malicious sites.

📋 TL;DR

This vulnerability allows attackers to craft malicious signup URLs for Frappe sites, which can lead to open redirects or reflected cross-site scripting (XSS) attacks when users sign up. It affects all Frappe framework users running versions before 14.99.14 or 15.94.0. The attacker can potentially steal user credentials or redirect users to malicious sites.

💻 Affected Systems

Products:

Frappe Framework

Versions: All versions before 14.99.14 and 15.94.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Frappe sites with user signup functionality enabled.

📦 What is this software?

Frappe by Frappe

View all CVEs affecting Frappe →

Frappe by Frappe

View all CVEs affecting Frappe →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal user session cookies, credentials, or redirect users to phishing sites, potentially leading to account compromise and data theft.

🟠

Likely Case

Attackers would typically use this for phishing campaigns or session hijacking by redirecting users to malicious sites.

🟢

If Mitigated

With proper input validation and output encoding, the impact would be limited to failed exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (clicking malicious link) but is straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.99.14 or 15.94.0

Vendor Advisory: https://github.com/frappe/frappe/security/advisories/GHSA-7m8v-g2pr-h2f7

Restart Required: Yes

Instructions:

1. Update Frappe to version 14.99.14 (for v14) or 15.94.0 (for v15). 2. Restart the Frappe application server. 3. Verify the fix by testing signup functionality.

🔧 Temporary Workarounds

Disable User Signup

all

Temporarily disable user self-registration functionality to prevent exploitation.

bench set-config allow_signup false

Input Validation Filter

all

Add custom validation to sanitize signup URL parameters.

Add URL validation in signup controller to reject suspicious redirect parameters

🧯 If You Can't Patch

Implement WAF rules to block malicious redirect parameters in signup URLs
Deploy browser security headers like Content-Security-Policy to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check Frappe version using bench version command and compare against vulnerable versions.

Check Version:

bench version

Verify Fix Applied:

Test signup functionality with crafted URLs containing redirect parameters to ensure they're properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual signup attempts with URL parameters containing redirects or script tags
Multiple failed signup attempts from same IP

Network Indicators:

HTTP requests to signup endpoint with suspicious redirect parameters
Outbound redirects to external domains after signup

SIEM Query:

source="frappe_logs" AND (url="*/api/method/frappe.www.login.sign_up*" AND (url="*redirect=*" OR url="*script*"))

📊 Metadata

CVE ID: CVE-2026-25956

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: February 10, 2026

Last Updated: February 17, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25956, you might also want to check these: