Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications > Events panel.
Published: 2026-06-24
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored Cross‑Site Scripting (XSS) flaw exists in Frappe Framework 17.0.0‑dev. The issue arises from improper neutralization of user‑controlled input in the Notifications > Events panel, allowing attackers to inject malicious script that runs whenever the event is viewed. This could lead to session hijacking, data theft, or further compromise of the affected system.

Affected Systems

The vulnerability affects the Frappe Framework product version 17.0.0‑dev. All operating systems supported by the framework (Linux, macOS, Windows) are impacted because the flaw is present in the shared code base. No other versions or configurations are listed, so the risk is confined to deployments using this specific development build.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the EPSS score is unavailable, suggesting limited known exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation likely requires an authenticated session with permission to create or modify notification events, implying a higher attack effort. Because the flaw is stored, it can affect all users who view the crafted event. The best defense is to apply the vendor’s fix or upgrade to a later release that eliminates the XSS path.

Generated by OpenCVE AI on June 24, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch or upgrade to a release of Frappe Framework that includes the fix for the Notifications > Events XSS issue.
  • Restrict write permissions for the Notifications > Events panel to trusted roles or remove the feature if it is not required.
  • Implement a Content Security Policy that disallows inline scripts to reduce the impact of any remaining XSS vectors.

Generated by OpenCVE AI on June 24, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications > Events panel.
Title Frappe Framework 17.0.0-dev - Stored XSS in Notifications Events color rendering
First Time appeared Frappe
Frappe frappe Framework
Weaknesses CWE-79
CPEs cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*
Vendors & Products Frappe
Frappe frappe Framework
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Frappe Frappe Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-24T15:44:59.251Z

Reserved: 2026-06-05T14:49:25.370Z

Link: CVE-2026-50709

cve-icon Vulnrichment

Updated: 2026-06-24T15:44:54.078Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')