I created a issue, XSS on Login Page · Issue #11750 · frappe/erpnext · GitHub
Issue has been given a “security” label.
Have also pinged Revant and Surabh because this is their area of expertise.
I belive vulnerbiliities should be disclosed to frappe team privately to prevent malicious users from taking advantage of them. especially given the fact that many users here don’t stick with good practise of updating their systems to latest patches.