Frappe Framework
Monthly
Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scripts via the frappe.ui.Tree component, which then execute in the browsers of other users who load the affected tree view. Reported by Fluid Attacks, this vulnerability carries a CVSS 4.0 score of 4.8 reflecting cross-user scope change impact despite limited direct system compromise. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persistent malicious scripts into the Number Card dashboard component, which then execute in the browsers of other users who view the affected dashboard. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation requires admin-level access to plant the payload and a victim's browser interaction to trigger it, limiting realistic blast radius despite the network delivery vector. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaScript through the Number Card dashboard component, which subsequently executes in other authenticated users' browser sessions when they view affected dashboards. The CVSS 4.0 score of 4.6 (Medium) reflects the dual constraint of requiring high-privilege credentials to plant the payload and active victim interaction to trigger it - both of which meaningfully limit real-world exploitability. No public exploit code or CISA KEV listing is identified at time of analysis; this was reported by Fluid Attacks.
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent JavaScript payloads via the Notifications > Events panel, which execute in the browser context of any user who subsequently views that panel. The CVSS 4.0 vector confirms subsequent-system scope impact (SC:L/SI:L), meaning the attack targets other users rather than the attacker's own session. No public exploit has been identified and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to inject persistent malicious scripts that execute in other users' browsers when the compromised UI element is rendered. Per the CVSS 4.0 vector (PR:L/UI:A/SC:L/SI:L), exploitation requires a valid low-privilege account and active victim interaction, but the scope change to the subsequent system confirms cross-user impact on confidentiality and integrity. No public exploit code and no CISA KEV listing exist at time of analysis; the 17.0.0-dev designation suggests exposure may currently be limited to pre-release or development deployments.
Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard headline to inject malicious JavaScript that executes in the browsers of other users who subsequently view the affected form. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation is gated behind two significant barriers: attacker must hold high-privilege application credentials and a victim must actively navigate to the injected form. No public exploit code and no active exploitation (CISA KEV) have been identified at the time of analysis; this was reported by Fluid Attacks.
Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into the File View breadcrumb renderer, which then execute in the browsers of other users who navigate to the affected view. The CVSS 4.0 vector (PR:H, UI:A, SC:L/SI:L) confirms that while network delivery is possible, exploitation is constrained by the need for elevated access to inject the payload and victim interaction to trigger it, with impact limited to the subsequent system (victim browser). No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent malicious scripts via the Desk desktop icon renderer, which then execute in the browsers of other users - including administrators - who subsequently view the affected Desk interface. The vulnerability was reported by Fluid Attacks and carries a CVSS 4.0 score of 4.8 (Medium), reflecting cross-user impact limited to the subsequent-system scope (SC:L/SI:L). No public exploit code or active exploitation has been identified at time of analysis.
Reflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms no authentication is required from the attacker, though victim interaction is mandatory. Impact is confined to the subsequent system (victim browser session), with low integrity and confidentiality consequences; no active exploitation or public POC has been identified at time of analysis.
Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious scripts via the `frappe.get_avatar` function, which execute in victims' browsers when the crafted content is rendered. The CVSS 4.0 score of 4.6 (Medium) reflects the PR:H requirement to store the payload and UI:A requirement for victim interaction, with impact limited to subsequent systems (other users' sessions). No public exploit or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Auto Repeat module to inject persistent HTML/JavaScript into the reference_document field via a whitelisted write path, bypassing server-side input controls. When any user opens the affected Auto Repeat form, the injected payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized UI manipulation on behalf of the victim. No public exploit code or confirmed active exploitation (CISA KEV) has been identified at time of analysis; however, the stored (persistent) nature of this XSS makes it more dangerous than reflected variants within shared Frappe deployments.
Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious scripts into the Audit Trail component, which then execute in the browsers of other privileged users who view that trail. The vulnerability arises from improper input neutralization (CWE-79) before HTML rendering in the audit logging subsystem, and is assigned a CVSS 4.0 score of 4.6 reflecting the high-privilege prerequisite and required victim interaction. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.
Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scripts via the frappe.ui.Tree component, which then execute in the browsers of other users who load the affected tree view. Reported by Fluid Attacks, this vulnerability carries a CVSS 4.0 score of 4.8 reflecting cross-user scope change impact despite limited direct system compromise. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persistent malicious scripts into the Number Card dashboard component, which then execute in the browsers of other users who view the affected dashboard. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation requires admin-level access to plant the payload and a victim's browser interaction to trigger it, limiting realistic blast radius despite the network delivery vector. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaScript through the Number Card dashboard component, which subsequently executes in other authenticated users' browser sessions when they view affected dashboards. The CVSS 4.0 score of 4.6 (Medium) reflects the dual constraint of requiring high-privilege credentials to plant the payload and active victim interaction to trigger it - both of which meaningfully limit real-world exploitability. No public exploit code or CISA KEV listing is identified at time of analysis; this was reported by Fluid Attacks.
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent JavaScript payloads via the Notifications > Events panel, which execute in the browser context of any user who subsequently views that panel. The CVSS 4.0 vector confirms subsequent-system scope impact (SC:L/SI:L), meaning the attack targets other users rather than the attacker's own session. No public exploit has been identified and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to inject persistent malicious scripts that execute in other users' browsers when the compromised UI element is rendered. Per the CVSS 4.0 vector (PR:L/UI:A/SC:L/SI:L), exploitation requires a valid low-privilege account and active victim interaction, but the scope change to the subsequent system confirms cross-user impact on confidentiality and integrity. No public exploit code and no CISA KEV listing exist at time of analysis; the 17.0.0-dev designation suggests exposure may currently be limited to pre-release or development deployments.
Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard headline to inject malicious JavaScript that executes in the browsers of other users who subsequently view the affected form. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation is gated behind two significant barriers: attacker must hold high-privilege application credentials and a victim must actively navigate to the injected form. No public exploit code and no active exploitation (CISA KEV) have been identified at the time of analysis; this was reported by Fluid Attacks.
Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into the File View breadcrumb renderer, which then execute in the browsers of other users who navigate to the affected view. The CVSS 4.0 vector (PR:H, UI:A, SC:L/SI:L) confirms that while network delivery is possible, exploitation is constrained by the need for elevated access to inject the payload and victim interaction to trigger it, with impact limited to the subsequent system (victim browser). No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent malicious scripts via the Desk desktop icon renderer, which then execute in the browsers of other users - including administrators - who subsequently view the affected Desk interface. The vulnerability was reported by Fluid Attacks and carries a CVSS 4.0 score of 4.8 (Medium), reflecting cross-user impact limited to the subsequent-system scope (SC:L/SI:L). No public exploit code or active exploitation has been identified at time of analysis.
Reflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms no authentication is required from the attacker, though victim interaction is mandatory. Impact is confined to the subsequent system (victim browser session), with low integrity and confidentiality consequences; no active exploitation or public POC has been identified at time of analysis.
Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious scripts via the `frappe.get_avatar` function, which execute in victims' browsers when the crafted content is rendered. The CVSS 4.0 score of 4.6 (Medium) reflects the PR:H requirement to store the payload and UI:A requirement for victim interaction, with impact limited to subsequent systems (other users' sessions). No public exploit or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Auto Repeat module to inject persistent HTML/JavaScript into the reference_document field via a whitelisted write path, bypassing server-side input controls. When any user opens the affected Auto Repeat form, the injected payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized UI manipulation on behalf of the victim. No public exploit code or confirmed active exploitation (CISA KEV) has been identified at time of analysis; however, the stored (persistent) nature of this XSS makes it more dangerous than reflected variants within shared Frappe deployments.
Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious scripts into the Audit Trail component, which then execute in the browsers of other privileged users who view that trail. The vulnerability arises from improper input neutralization (CWE-79) before HTML rendering in the audit logging subsystem, and is assigned a CVSS 4.0 score of 4.6 reflecting the high-privilege prerequisite and required victim interaction. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.