Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
High privilege required to write Auto Repeat records (PR:H); victim must open the form (UI:R); scope changes to victim browser (S:C) with low C/I impact; no availability impact applies.
Primary rating from Vendor (Fluid Attacks).
CVSS VectorVendor: Fluid Attacks
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users open the affected Auto Repeat form.
AnalysisAI
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Auto Repeat module to inject persistent HTML/JavaScript into the reference_document field via a whitelisted write path, bypassing server-side input controls. When any user opens the affected Auto Repeat form, the injected payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized UI manipulation on behalf of the victim. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Frappe Framework user account with write access to the Auto Repeat module (PR:H per CVSS 4.0 vector) - a non-default, privileged role assignment, not a capability granted to standard users. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 4.6 (Medium) accurately reflects constrained but real exploitation conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker holding a Frappe account with write privileges to Auto Repeat submits a crafted Auto Repeat record in which the reference_document field contains a JavaScript payload (e.g., a cookie-stealing script). Because the whitelisted write path accepts the input and the framework stores it without sanitization, the payload is persisted to the database. … |
| Remediation | No vendor-released patch has been identified at time of analysis; a confirmed fix version is not available from the provided references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Frappe Framework
View allReflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote a
Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scrip
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist
Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persist
Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaSc
Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard
Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into
Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious
Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38795
GHSA-5h93-rrcv-vggv