Description
Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in 14.100.2, 15.101.0, and 16.10.0.
Published: 2026-03-11
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS and unauthorized workspace modification
Action: Patch
AI Analysis

Impact

The vulnerability in the Frappe framework originates from an absence of validation and improper permission checks that allow authenticated users to modify other users’ private workspaces. As a result, a malicious actor can submit specially crafted requests that store JavaScript into workspace content, leading to a stored cross‑site scripting (CWE‑79) vulnerability. This flaw permits attackers to steal credentials, deface pages, or inject further payloads within affected user sessions, thereby compromising confidentiality and potentially integrity of private workspace data.

Affected Systems

This issue affects all deployments of the Frappe framework (frappe:frappe) running versions earlier than 14.100.2, 15.101.0, or 16.10.0. Key detail from vendor description: the advisory states that the vulnerability is fixed in those exact releases.

Risk and Exploitability

CVSS score of 5.1 classifies the flaw as moderate; EPSS score of less than 1% indicates a low likelihood of exploitation in the wild, and it is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector requires an authenticated session that has permission to modify private workspaces. Successful exploitation would enable the attacker to inject persistent malicious script that could hijack other users’ sessions or deliver additional attacks.

Generated by OpenCVE AI on March 17, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe to version 14.100.2, 15.101.0, or 16.10.0.

Generated by OpenCVE AI on March 17, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in 14.100.2, 15.101.0, and 16.10.0.
Title Frappe Workspace modification and stored XSS due to improper resource ownership checks
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T19:30:30.761Z

Reserved: 2026-03-09T21:59:02.686Z

Link: CVE-2026-31879

cve-icon Vulnrichment

Updated: 2026-03-11T19:30:20.277Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T19:16:04.627

Modified: 2026-03-13T17:48:48.793

Link: CVE-2026-31879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:33Z

Weaknesses