Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Admin privileges required to store the payload (PR:H), victim must load the page (UI:R), and stored XSS changes scope to affect other users' sessions (S:C) with limited confidentiality and integrity impact.
Primary rating from Vendor (Fluid Attacks).
CVSS VectorVendor: Fluid Attacks
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component.
AnalysisAI
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persistent malicious scripts into the Number Card dashboard component, which then execute in the browsers of other users who view the affected dashboard. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation requires admin-level access to plant the payload and a victim's browser interaction to trigger it, limiting realistic blast radius despite the network delivery vector. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a high-privilege authenticated session (PR:H per CVSS vector) with permission to create or edit Number Card components in the Frappe dashboard. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 4.6 (Medium) accurately reflects a constrained attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with administrative access to a Frappe instance - whether a malicious insider or an external actor who has compromised an admin credential - navigates to the Number Card configuration interface and injects a JavaScript payload (e.g., a cookie-stealing script) into an unsanitized field. The payload is stored server-side and rendered each time any user loads a dashboard containing that card, silently exfiltrating session tokens or performing actions on the victim's behalf. |
| Remediation | No vendor-released patch version has been identified in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Frappe Framework
View allReflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote a
Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scrip
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist
Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist
Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaSc
Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard
Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into
Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Aut
Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38807
GHSA-g23q-hh57-9ww7