Skip to main content

Frappe Framework CVE-2026-50708

| EUVDEUVD-2026-38803 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 Fluid Attacks GHSA-649m-3hjq-ppg8
4.8
CVSS 4.0 · Vendor: Fluid Attacks
Share

Severity by source

Vendor (Fluid Attacks) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Low-privilege account required (PR:L), victim must load the stored payload (UI:R), scope changes to victim browser (S:C) enabling limited confidentiality and integrity impact; no availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Fluid Attacks).

CVSS VectorVendor: Fluid Attacks

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 15:54 vuln.today

DescriptionCVE.org

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component.

AnalysisAI

Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to inject persistent malicious scripts that execute in other users' browsers when the compromised UI element is rendered. Per the CVSS 4.0 vector (PR:L/UI:A/SC:L/SI:L), exploitation requires a valid low-privilege account and active victim interaction, but the scope change to the subsequent system confirms cross-user impact on confidentiality and integrity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege Frappe account
Delivery
Inject script payload into MultiSelectDialog input
Exploit
Payload persists in application database
Execution
Victim user opens affected dialog or linked view
Persist
Stored script executes in victim browser
Impact
Exfiltrate session token or perform privileged actions

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid low-privileged authenticated account within the Frappe Framework application - unauthenticated exploitation is not possible per the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.8 and its vector AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N align well with the described vulnerability class. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privileged user - such as a standard ERPNext portal account - injects a JavaScript payload into an input field processed and stored by the MultiSelectDialog component, for example within a document name, tag, or linked record value. When a second user (such as a manager or administrator) opens a view that triggers the MultiSelectDialog and loads the stored content, the injected script executes in their browser session, potentially exfiltrating their session cookie or performing actions using their elevated privileges. …
Remediation No vendor-released patch has been identified at time of analysis; the fix status should be monitored via the upstream GitHub repository at https://github.com/frappe/frappe and the Fluid Attacks advisory at https://fluidattacks.com/es/advisories/extremoduro. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-50701 MEDIUM
5.1 Jun 24

Reflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote a

CVE-2026-50712 MEDIUM
4.8 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scrip

CVE-2026-50709 MEDIUM
4.8 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist

CVE-2026-50703 MEDIUM
4.8 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist

CVE-2026-50711 MEDIUM
4.6 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persist

CVE-2026-50710 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaSc

CVE-2026-50705 MEDIUM
4.6 Jun 24

Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard

CVE-2026-50704 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into

CVE-2026-50700 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious

CVE-2026-50699 MEDIUM
4.6 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Aut

CVE-2026-50698 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious

Share

CVE-2026-50708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy