Which versions of Frappe are affected by CVE-2026-28436?

A cross-site scripting (XSS) vulnerability in Frappe framework versions prior to 16.11.0 and 15.102.0 allows attackers to inject malicious code through avatar image URLs that executes when displayed…

How to fix or mitigate CVE-2026-28436?

Within 24 hours: Identify all Frappe instances in use and document current versions; disable user avatar uploads and external image URL functionality if possible. Within 7 days: Implement input validation and content security policies; monitor for suspicious avatar URLs in logs and comments. Within 30 days: Upgrade affected systems to Frappe versions 16.11.0 or 15.102.0 or later when patches become available; conduct security awareness training on social engineering risks.

Frappe CVE-2026-28436

Q: What is the CVSS score of CVE-2026-28436?

CVE-2026-28436 has a CVSS 4.0 base score of 1.3 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2026-03-05 security-advisories@github.com

XSS Frappe

1.3

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

1.3 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

HIGH LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.2 (HIGH) 1.3 (LOW)

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 05, 2026 - 21:16 nvd

HIGH 7.2

DescriptionGitHub Advisory

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0.

AnalysisAI

Stored cross-site scripting in Frappe versions prior to 16.11.0 and 15.102.0 allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers through malicious image URLs in avatar fields and website comments. The vulnerability affects any user viewing a page containing the compromised avatar, enabling session hijacking, credential theft, or malware distribution without user interaction.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker crafts malicious image URL with XSS payload

Delivery

Submits URL as avatar or comment

Exploit

Avatar displayed to other users

Execution

JavaScript executes in victim's browser

Impact

Session hijacking or credential theft

Access

Attacker crafts malicious image URL with XSS payload

Delivery

Submits URL as avatar or comment

Exploit

Avatar displayed to other users

Execution

JavaScript executes in victim's browser

Impact

Session hijacking or credential theft

Vulnerability AssessmentAI

Exploitation	Frappe versions prior to 16.11.0 and 15.102.0 with website comments enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.2 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this flaw, XSS when the avatar is displayed, and it can be triggered fo.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Frappe instances in use and document current versions; disable user avatar uploads and external image URL functionality if possible. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-44208 MEDIUM This Month

6.9 Jun 12

Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthe

CVE-2026-50026 MEDIUM This Month

6.9 Jun 12

Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and

CVE-2026-44205 MEDIUM This Month

6.9 Jun 12

Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browser

CVE-2026-47739 MEDIUM This Month

6.9 Jun 12

Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious

CVE-2026-44206 MEDIUM This Month

6.9 Jun 12

DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen

CVE-2026-28436 vulnerability details – vuln.today

Back

Frappe CVE-2026-28436

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code