Description
Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0.
Published: 2026-03-05
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A stored Cross‑Site Scripting flaw allows an attacker to inject a malicious script by entering a crafted image URL into the avatar field. When the avatar is rendered for any user, the script runs in the victim’s browser. The payload can be delivered through normal page comments or the avatar setting, enabling session hijacking or other browser‑side attacks. This weakness is described by CWE‑79 and can affect any user who views a page that displays the avatar.

Affected Systems

The vulnerability exists in the Frappe web application framework for versions earlier than 16.11.0 and 15.102.0. Users running those releases are at risk if they use custom avatar URLs or comment functionality. All later releases contain the fix.

Risk and Exploitability

The CVSS score of 1.3 indicates a very low severity. The EPSS score is less than 1 %, and the vulnerability is not listed in the CISA KEV catalog, signaling a low likelihood of exploitation. The likely attack vector is via the web interface: an attacker submits a comment or avatar URL containing a malicious script, which is stored and later rendered for other users. Because the flaw requires user interaction to trigger the script, exploitation is limited to users who view the affected pages.

Generated by OpenCVE AI on April 16, 2026 at 12:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frappe framework to version 16.11.0 or later, or to 15.102.0 or later, to receive the vendor‑supplied fix.
  • If a patch is pending, replace any custom avatar URLs with the default avatar to prevent script execution.
  • Explicitly sanitize or strip the avatar URL field in your own code to reject URLs that contain JavaScript references.
  • Consider temporarily disabling comment posting from untrusted users until the framework is updated.

Generated by OpenCVE AI on April 16, 2026 at 12:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Thu, 05 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0.
Title Frappe: Stored XSS in avatar_macro.html
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T17:02:52.965Z

Reserved: 2026-02-27T15:54:05.139Z

Link: CVE-2026-28436

cve-icon Vulnrichment

Updated: 2026-03-06T17:02:49.364Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T21:16:22.180

Modified: 2026-03-09T19:05:28.313

Link: CVE-2026-28436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:15:35Z

Weaknesses