EUVD-2026-36454Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Profile image upload requires authentication (PR:L); stored XSS triggers only when a victim visits the profile (UI:R); script execution in victim's browser constitutes a scope change (S:C) with low confidentiality and integrity impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0.
AnalysisAI
Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browsers of any user who views the compromised profile. Affected versions are all Frappe releases prior to 15.106.0. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have the ability to set or update a profile image in the Frappe instance - in most deployments this requires an authenticated user account, making PR:L the realistic privilege level despite the PR:N in the provided CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N warrants scrutiny: the PR:N (no privileges required) and UI:N metrics are inconsistent with the described attack scenario, which involves an attacker uploading a malicious profile image - an action that typically requires an authenticated session in Frappe. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a Frappe account crafts a profile image upload containing an embedded JavaScript payload that evades server-side sanitization. When a legitimate user - such as an administrator or coworker - navigates to the attacker's profile page, the malicious script executes silently in their browser, potentially exfiltrating session cookies or CSRF tokens to an attacker-controlled server. … |
| Remediation | Upgrade Frappe to version 15.106.0 or later, which contains the vendor-confirmed patch per the GitHub advisory at https://github.com/frappe/frappe/security/advisories/GHSA-2wx6-8gmq-x4fw. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthe
Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and
Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious
DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen
Insecure Direct Object Reference (IDOR) in the Frappe full-stack web application framework exposes email configuration d
Share
External POC / Exploit Code
Leaving vuln.today