Description
Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, stored XSS in Note was possible due to lack of sanitization. This issue has been patched in versions 15.106.0 and 16.16.0.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability consists of a stored XSS flaw in the Note field of the Frappe web application framework, caused by insufficient input sanitization. When an attacker injects malicious script into a note, the script is later displayed to any users who view the note, allowing arbitrary JavaScript execution in the victim’s browser context. This can lead to data theft, session hijacking, or malicious interactions with the web application, posing a moderate impact on confidentiality, integrity, and availability of user sessions.

Affected Systems

The flaw affects Frappe deployments running any version prior to 15.106.0 and 16.16.0. Any installation of the Frappe core framework that has not applied these patches is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.9 reflects a moderate severity. The EPSS score of less than 1% indicates a very low probability that exploitation is occurring or will occur soon, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the Note input field, where an attacker can inject script payloads. The attack may require an authenticated user or the ability to create a note, but the exact prerequisites are not detailed in the advisory. The vulnerability can be exploited by any user who can add or edit notes that are subsequently rendered without proper sanitization.

Generated by OpenCVE AI on June 12, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe to version 15.106.0 or 16.16.0 or later, which includes the security fix.
  • If an upgrade is not immediately possible, remove or sanitize existing notes containing untrusted content and restrict the creation of new notes by untrusted users.
  • Configure a web application firewall or request sanitizer to block or escape script payloads submitted to the Note field.

Generated by OpenCVE AI on June 12, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, stored XSS in Note was possible due to lack of sanitization. This issue has been patched in versions 15.106.0 and 16.16.0.
Title Frappe: Stored XSS in Note
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:30:37.147Z

Reserved: 2026-05-19T22:16:39.504Z

Link: CVE-2026-47739

cve-icon Vulnrichment

Updated: 2026-06-12T16:28:54.088Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T15:16:29.553

Modified: 2026-06-12T15:56:54.563

Link: CVE-2026-47739

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:30:31Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')