Description
Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the user profile image upload feature of the Frappe framework. By uploading a crafted image that contains malicious script code, an attacker can inject executable payloads into the database. When other users view the profile, the malicious script runs in their browsers, potentially enabling the theft of session cookies, credentials, or other sensitive data, and may also serve as a vector for further malware delivery. The weakness is classified as CWE‑79.

Affected Systems

Vulnerable installations are those running any release of the Frappe framework prior to version 15.106.0. The issue was patched in that release; therefore any deployments using older 15.x releases, or earlier series, are at risk. All users who can upload or manage their profile image are affected, and any other users who view those profiles can be impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score of less than 1 % suggests that exploitation is considered unlikely, and the vulnerability is not currently listed in the CISA KEV catalogue. However, an attacker with access to upload a malicious image can place code that will run in the context of other users merely by them visiting the profile page. The vulnerability is broadly exploitable to any other authenticated or publicly visible user and carries no requirement for elevated privileges beyond the ability to upload a profile image.

Generated by OpenCVE AI on June 12, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe to version 15.106.0 or later to remove the vulnerability
  • Ensure that user‑supplied images are validated to accept only safe formats and that any embedded scripts are stripped or encoded before storage
  • Implement a Content Security Policy that disallows inline scripts or restricts script sources to trusted origins

Generated by OpenCVE AI on June 12, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0.
Title Frappe: Stored Cross-Site Scripting (XSS) in User Profile through Image Upload
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:02:36.022Z

Reserved: 2026-05-05T15:13:47.571Z

Link: CVE-2026-44205

cve-icon Vulnrichment

Updated: 2026-06-12T16:02:32.426Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T15:16:25.920

Modified: 2026-06-12T15:56:54.563

Link: CVE-2026-44205

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:30:31Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')