Skip to main content

Frappe Framework CVE-2026-50701

| EUVDEUVD-2026-38798 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 Fluid Attacks GHSA-wm3j-m9vm-h95g
5.1
CVSS 4.0 · Vendor: Fluid Attacks
Share

Severity by source

Vendor (Fluid Attacks) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Reflected XSS requires victim to click a link (UI:R), crosses into browser scope (S:C), and has low confidentiality and integrity impact; no server availability or confidentiality breach.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Fluid Attacks).

CVSS VectorVendor: Fluid Attacks

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 15:55 vuln.today

DescriptionCVE.org

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.

AnalysisAI

Reflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms no authentication is required from the attacker, though victim interaction is mandatory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Frappe dashboard-view endpoint
Delivery
Craft malicious reflected XSS URL
Exploit
Deliver link to victim via phishing
Execution
Victim clicks URL in browser
Persist
Browser renders unescaped script payload
Impact
Execute JavaScript in victim's authenticated session

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively click a crafted URL targeting the dashboard-view component of Frappe Framework - confirmed by UI:A in the CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 appropriately reflects moderate real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies the vulnerable dashboard-view endpoint on a target Frappe Framework 17.0.0-dev deployment and constructs a URL with an unsanitized query parameter containing a JavaScript payload (e.g., a script that exfiltrates the victim's session cookie to an attacker-controlled server). The attacker delivers this URL to a target user via phishing email or message; when the victim clicks the link and their browser renders the reflected response, the injected script executes within the Frappe application's origin, enabling session hijacking or credential harvesting. …
Remediation No specific patched version has been identified in the available data - the input references only the Frappe GitHub repository (https://github.com/frappe/frappe) and the Fluid Attacks advisory (https://fluidattacks.com/es/advisories/nena), without citing an exact fix release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-50712 MEDIUM
4.8 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scrip

CVE-2026-50709 MEDIUM
4.8 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist

CVE-2026-50708 MEDIUM
4.8 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to

CVE-2026-50703 MEDIUM
4.8 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist

CVE-2026-50711 MEDIUM
4.6 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persist

CVE-2026-50710 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaSc

CVE-2026-50705 MEDIUM
4.6 Jun 24

Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard

CVE-2026-50704 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into

CVE-2026-50700 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious

CVE-2026-50699 MEDIUM
4.6 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Aut

CVE-2026-50698 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious

Share

CVE-2026-50701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy