Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function.
Published: 2026-06-24
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in Frappe Framework 17.0.0‑dev due to improper neutralization of user‑controlled input in the frappe.get_avatar function. The flaw allows an attacker to embed malicious script code that will be executed in the context of the victim’s browser whenever the avatar image is rendered. This can lead to credential theft, session hijacking, defacement, or delivery of malware to users who view the affected avatar.

Affected Systems

The affected product is the Frappe Framework 17.0.0‑dev version running on Linux, macOS, or Windows operating systems.

Risk and Exploitability

The CVSS score of 4.6 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a malicious avatar image that will be rendered by a user’s browser; therefore, the attack vector is likely client‑side and depends on a user visiting the page where the avatar is displayed. The risk remains moderate under typical usage scenarios, but any path that allows untrusted users to provide avatar images makes the attack reasonable.

Generated by OpenCVE AI on June 24, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe Framework to a version that includes the patch for the get_avatar neutralization flaw.
  • If an official patch is not yet available, restrict or disable avatar image rendering for untrusted users or modify the application to sanitize avatar URLs before rendering.
  • Monitor for any user‑reported malicious avatar content and apply necessary input validation or escaping to prevent script execution.

Generated by OpenCVE AI on June 24, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function.
Title Frappe Framework 17.0.0-dev - Stored XSS in frappe.get_avatar image rendering
First Time appeared Frappe
Frappe frappe Framework
Weaknesses CWE-79
CPEs cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*
Vendors & Products Frappe
Frappe frappe Framework
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Frappe Frappe Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-24T15:50:40.350Z

Reserved: 2026-06-05T14:49:25.369Z

Link: CVE-2026-50700

cve-icon Vulnrichment

Updated: 2026-06-24T15:50:37.424Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')