Skip to main content

Frappe Framework EUVDEUVD-2026-38795

| CVE-2026-50699 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 Fluid Attacks GHSA-5h93-rrcv-vggv
4.6
CVSS 4.0 · Vendor: Fluid Attacks
Share

Severity by source

Vendor (Fluid Attacks) PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

High privilege required to write Auto Repeat records (PR:H); victim must open the form (UI:R); scope changes to victim browser (S:C) with low C/I impact; no availability impact applies.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Fluid Attacks).

CVSS VectorVendor: Fluid Attacks

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 14:51 vuln.today

DescriptionCVE.org

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users open the affected Auto Repeat form.

AnalysisAI

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Auto Repeat module to inject persistent HTML/JavaScript into the reference_document field via a whitelisted write path, bypassing server-side input controls. When any user opens the affected Auto Repeat form, the injected payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized UI manipulation on behalf of the victim. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate with high-privilege Frappe account
Delivery
Access Auto Repeat module write endpoint (whitelisted path)
Exploit
Inject JavaScript payload into reference_document field
Install
Payload persisted to database without sanitization
C2
Victim user opens affected Auto Repeat form
Execute
Stored script executes in victim browser context
Impact
Session token or sensitive data exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Frappe Framework user account with write access to the Auto Repeat module (PR:H per CVSS 4.0 vector) - a non-default, privileged role assignment, not a capability granted to standard users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.6 (Medium) accurately reflects constrained but real exploitation conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker holding a Frappe account with write privileges to Auto Repeat submits a crafted Auto Repeat record in which the reference_document field contains a JavaScript payload (e.g., a cookie-stealing script). Because the whitelisted write path accepts the input and the framework stores it without sanitization, the payload is persisted to the database. …
Remediation No vendor-released patch has been identified at time of analysis; a confirmed fix version is not available from the provided references. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-50701 MEDIUM
5.1 Jun 24

Reflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote a

CVE-2026-50712 MEDIUM
4.8 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scrip

CVE-2026-50709 MEDIUM
4.8 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist

CVE-2026-50708 MEDIUM
4.8 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to

CVE-2026-50703 MEDIUM
4.8 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persist

CVE-2026-50711 MEDIUM
4.6 Jun 24

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persist

CVE-2026-50710 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaSc

CVE-2026-50705 MEDIUM
4.6 Jun 24

Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard

CVE-2026-50704 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into

CVE-2026-50700 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious

CVE-2026-50698 MEDIUM
4.6 Jun 24

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious

Share

EUVD-2026-38795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy