Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users open the affected Auto Repeat form.
Published: 2026-06-24
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw resides in the reference_document field of the Auto Repeat dashboard of Frappe Framework 17.0.0-dev. An attacker who can write to Auto Repeat can embed arbitrary HTML or JavaScript. When another user opens the affected form, the malicious code executes in that user’s browser, allowing the attacker to hijack sessions, steal cookies, or perform other client‑side attacks. The flaw does not provide direct arbitrary code execution on the server, so the scope is limited to the victim’s browser context.

Affected Systems

Frappe Framework 17.0.0-dev, operating on Linux, macOS and Windows platforms.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate risk. EPSS data is unavailable, and the vulnerability is not listed in the KEV catalog; thus, exploit likelihood is not currently quantified. The attack requires an authenticated user with write access to Auto Repeat, so it relies on existing credential compromise or privilege escalation. Without such access, the vulnerability is unusable, but once access is obtained, script execution can be achieved in any user session that opens the form.

Generated by OpenCVE AI on June 24, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe Framework to the latest release where this issue has been fixed; if a patch is not available, discontinue use of the Auto Repeat feature until remediation is applied.
  • Remove or sanitize the reference_document field before persistence or output by filtering or escaping all HTML and JavaScript content; enforce strict content‑type validation on the field.
  • Restrict write permissions to Auto Repeat dashboards to only trusted administrative individuals and monitor for any anomalous modifications to reference_document or related fields.

Generated by OpenCVE AI on June 24, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe framework
Vendors & Products Frappe framework

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users open the affected Auto Repeat form.
Title Frappe Framework 17.0.0-dev - Stored XSS in Auto Repeat dashboard schedule rendering
First Time appeared Frappe
Frappe frappe Framework
Weaknesses CWE-79
CPEs cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*
Vendors & Products Frappe
Frappe frappe Framework
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Frappe Framework Frappe Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-24T14:45:48.861Z

Reserved: 2026-06-05T14:49:25.369Z

Link: CVE-2026-50699

cve-icon Vulnrichment

Updated: 2026-06-24T14:45:37.333Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T17:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')