EUVD-2026-36452Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stored XSS requires a low-privilege account to author the Note (PR:L) and victim browser interaction to trigger it (UI:R), with scope change affecting the victim's browser session.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, stored XSS in Note was possible due to lack of sanitization. This issue has been patched in versions 15.106.0 and 16.16.0.
AnalysisAI
Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious JavaScript that executes in the browsers of users who subsequently view the poisoned note. All Frappe deployments on the v15 branch prior to 15.106.0 and the v16 branch prior to 16.16.0 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid Frappe user account with sufficient permissions to create or edit Notes in the target instance - typically any standard low-privilege role. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The reported CVSS 4.0 score of 6.9 with vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N warrants scrutiny: a PR:N and UI:N rating is inconsistent with the stored XSS vulnerability class, which inherently requires at minimum victim browser interaction (UI:P in CVSS 4.0) and typically low privilege to author a Note (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged Frappe user - such as a standard employee account in an ERPNext deployment - creates a Note containing a crafted JavaScript payload embedded in an HTML attribute or script tag. When a higher-privileged user such as an HR manager or system administrator opens the note, the payload executes silently in their browser session, enabling cookie exfiltration or unauthorized API calls on their behalf. … |
| Remediation | Upgrade to Frappe version 15.106.0 or later on the v15 branch, or version 16.16.0 or later on the v16 branch, as confirmed by the vendor advisory at https://github.com/frappe/frappe/security/advisories/GHSA-vxmp-h244-wv3r. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthe
Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and
Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browser
DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen
Insecure Direct Object Reference (IDOR) in the Frappe full-stack web application framework exposes email configuration d
Share
External POC / Exploit Code
Leaving vuln.today