Skip to main content

Frappe Framework CVE-2026-50705

| EUVDEUVD-2026-38802 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 Fluid Attacks GHSA-x6g9-3r4x-w7cx
4.6
CVSS 4.0 · Vendor: Fluid Attacks
Share

Severity by source

Vendor (Fluid Attacks) PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

High privileges required to edit the headline field; victim interaction required to trigger; scope change to victim browser with low C/I impact and no A impact.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Fluid Attacks).

CVSS VectorVendor: Fluid Attacks

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 15:54 vuln.today

DescriptionCVE.org

A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.

AnalysisAI

Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard headline to inject malicious JavaScript that executes in the browsers of other users who subsequently view the affected form. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation is gated behind two significant barriers: attacker must hold high-privilege application credentials and a victim must actively navigate to the injected form. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker authenticates with high-privilege Frappe credentials
Delivery
Inject XSS payload into Form Dashboard headline field
Exploit
Victim user navigates to affected Frappe form
Execution
Malicious script executes in victim's browser
Impact
Exfiltrate session cookie or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold high-privilege credentials within the Frappe Framework application (confirmed by PR:H in the CVSS 4.0 vector) - specifically, access sufficient to edit the Form Dashboard headline field, which is not a standard user capability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.6 accurately captures a moderate-risk vulnerability whose exploitability is substantially constrained. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with high-privilege credentials on a Frappe Framework 17.0.0-dev instance navigates to a frequently used form's dashboard configuration and injects a JavaScript payload (e.g., a cookie-exfiltrating script) into the headline field. When a lower-privileged employee subsequently opens that form in their browser, the injected script executes, silently transmitting the victim's session token to an attacker-controlled endpoint and enabling session hijacking. …
Remediation No vendor-released patch has been identified at the time of analysis; the affected version is Frappe Framework 17.0.0-dev and no fixed release version is confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-50701 MEDIUM
5.1 Jun 24

Reflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote a

CVE-2026-50712 MEDIUM
4.8 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scrip

CVE-2026-50709 MEDIUM
4.8 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist

CVE-2026-50708 MEDIUM
4.8 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to

CVE-2026-50703 MEDIUM
4.8 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist

CVE-2026-50711 MEDIUM
4.6 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persist

CVE-2026-50710 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaSc

CVE-2026-50704 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into

CVE-2026-50700 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious

CVE-2026-50699 MEDIUM
4.6 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Aut

CVE-2026-50698 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious

Share

CVE-2026-50705 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy