Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.
Published: 2026-06-24
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected cross‑site scripting flaw arises in the dashboard‑view breadcrumb rendering of Frappe Framework 17.0.0‑dev because user‑controlled input is not properly neutralized. The erroneous rendering allows an attacker to inject arbitrary JavaScript that executes in the victim’s browser session, potentially leading to credential theft, defacement, or other in‑browser attacks. The weakness is classified as CWE‑79.

Affected Systems

The vulnerability affects the Frappe Framework across all supported operating systems for the development release 17.0.0‑dev, including Linux, macOS, and Windows distributions. Any deployment running this version is exposed.

Risk and Exploitability

The severity is moderate, reflected in a CVSS score of 5.1, and no EPSS data is available. The flaw is not listed in the CISA KEV catalog. Because it is a reflected XSS, exploitation typically requires a social‑engineering or phishing vector to lure a user into visiting a malicious link that triggers the injected script. Once executed, the attacker can hijack the user’s session or perform client‑side attacks.

Generated by OpenCVE AI on June 24, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Frappe Framework release that includes the sanitized breadcrumb rendering fix.
  • If an immediate upgrade is not feasible, deploy a content‑security‑policy header that restricts script sources and add server‑side escaping or sanitization for breadcrumb inputs to prevent script injection.
  • Configure or limit the breadcrumb input mechanism to use only trusted identifiers or a whitelist of safe values, thereby eliminating arbitrary HTML or script injection points.

Generated by OpenCVE AI on June 24, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.
Title Frappe Framework 17.0.0-dev - Reflected DOM XSS in dashboard-view breadcrumb rendering
First Time appeared Frappe
Frappe frappe Framework
Weaknesses CWE-79
CPEs cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*
Vendors & Products Frappe
Frappe frappe Framework
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Frappe Frappe Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-24T15:49:55.677Z

Reserved: 2026-06-05T14:49:25.369Z

Link: CVE-2026-50701

cve-icon Vulnrichment

Updated: 2026-06-24T15:49:52.900Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')