Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component.
Published: 2026-06-24
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in Frappe Framework 17.0.0‑dev when the Audit Trail component fails to neutralize user‑controlled input before rendering it as HTML. The vulnerable code stores the raw input in the database and later injects it into a browser page without proper encoding. Based on the description, it is inferred that a malicious script could be executed in the browsers of any user who views the affected audit trail entries, potentially allowing an attacker to steal session cookies or perform other client‑side attacks.

Affected Systems

Frappe Framework 17.0.0‑dev is affected on Linux, macOS and Windows, as indicated by the common platform enumeration strings. The flaw is present in any deployment of the 17.0.0‑dev release where the Audit Trail component can be influenced by untrusted users.

Risk and Exploitability

The CVSS score of 4.6 classifies this issue as moderate severity. The EPSS score is not available and the vulnerability is not listed in CISA KEV, suggesting a low to moderate exploitation likelihood. Because the flaw is stored, any user or process that can insert or modify audit trail entries represents a potential attack vector. Successful exploitation would compromise the confidentiality of user sessions and could lead to credential theft or session hijacking, but does not directly affect system integrity or availability.

Generated by OpenCVE AI on June 24, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Frappe Framework release that contains the fix for the stored XSS flaw
  • If an update is not immediately possible, restrict or disable audit trail logging for untrusted input sources
  • Implement strict output encoding or sanitization for any user‑controlled data stored in audit trails

Generated by OpenCVE AI on June 24, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe framework
Vendors & Products Frappe framework

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component.
Title Frappe Framework 17.0.0-dev - Stored XSS in Audit Trail template rendering
First Time appeared Frappe
Frappe frappe Framework
Weaknesses CWE-79
CPEs cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*
Vendors & Products Frappe
Frappe frappe Framework
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Frappe Framework Frappe Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-24T14:48:14.522Z

Reserved: 2026-06-05T14:49:25.369Z

Link: CVE-2026-50698

cve-icon Vulnrichment

Updated: 2026-06-24T14:48:00.755Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T17:45:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')