Skip to main content

Frappe Framework CVE-2026-50704

| EUVDEUVD-2026-38800 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 Fluid Attacks GHSA-x573-2rr6-86rc
4.6
CVSS 4.0 · Vendor: Fluid Attacks
Share

Severity by source

Vendor (Fluid Attacks) PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

PR:H because payload injection requires high-privilege file access; S:C and UI:R because impact occurs in victim's browser session after active navigation.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Fluid Attacks).

CVSS VectorVendor: Fluid Attacks

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 15:54 vuln.today

DescriptionCVE.org

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer.

AnalysisAI

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into the File View breadcrumb renderer, which then execute in the browsers of other users who navigate to the affected view. The CVSS 4.0 vector (PR:H, UI:A, SC:L/SI:L) confirms that while network delivery is possible, exploitation is constrained by the need for elevated access to inject the payload and victim interaction to trigger it, with impact limited to the subsequent system (victim browser). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain high-privilege Frappe credentials
Delivery
Upload file or create folder with XSS payload in name
Exploit
Payload persisted in File View breadcrumb data
Install
Victim navigates to File View path
C2
Browser renders unsanitized breadcrumb
Execute
Malicious script executes in victim browser session
Impact
Session token or DOM data exfiltrated

Vulnerability AssessmentAI

Exploitation The attacker must possess a high-privilege account within the Frappe Framework instance (PR:H per CVSS 4.0 vector) sufficient to upload files or create folder structures whose names are reflected in the File View breadcrumb. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.6 (Medium) accurately reflects the constrained exploitation path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with high-privilege access to a Frappe instance - such as a compromised admin account or a malicious insider - uploads a file or creates a folder whose name contains a crafted XSS payload (e.g., an injected script tag). When a lower-privileged user subsequently navigates to the File View and the breadcrumb renderer displays the file path without sanitization, the payload executes in the victim's browser session, potentially enabling session token theft or unauthorized actions on behalf of the victim. …
Remediation No vendor-released patch with an exact fix version has been identified in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-50701 MEDIUM
5.1 Jun 24

Reflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote a

CVE-2026-50712 MEDIUM
4.8 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scrip

CVE-2026-50709 MEDIUM
4.8 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist

CVE-2026-50708 MEDIUM
4.8 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to

CVE-2026-50703 MEDIUM
4.8 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist

CVE-2026-50711 MEDIUM
4.6 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persist

CVE-2026-50710 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaSc

CVE-2026-50705 MEDIUM
4.6 Jun 24

Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard

CVE-2026-50700 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious

CVE-2026-50699 MEDIUM
4.6 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Aut

CVE-2026-50698 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious

Share

CVE-2026-50704 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy