Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component.
Published: 2026-06-24
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an unsafe eval call that processes user‑controlled data within the Number Card component’s filters_config field, allowing attackers to store malicious JavaScript that is later served to users when the filter is used. The weakness is categorized as CWE‑79, reflecting improper handling of untrusted input.

Affected Systems

The affected product is Frappe Framework 17.0.0‑dev, which is distributed for Linux, macOS and Windows platforms.

Risk and Exploitability

The CVSS score of 4.6 indicates a moderate severity, and the EPSS score is not available, making it unclear how frequently this flaw is actively exploited in the wild. It is not listed in the CISA KEV catalog. The most likely attack vector is a web‑based interface that accepts user input for Number Card filters_config; an attacker with sufficient privileges to insert content can persist a malicious script that will execute in the context of any user who views the filtered data.

Generated by OpenCVE AI on June 24, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe Framework to a stable release version that removes unsafe eval usage in the Number Card component.
  • If an upgrade is not immediately possible, sanitize or validate all input to filters_config before storing it, ensuring no executable code can be injected.
  • Disable or remove the Number Card feature from the production environment until a patched version is deployed to prevent the stored XSS vector.

Generated by OpenCVE AI on June 24, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component.
Title Frappe Framework 17.0.0-dev - Stored XSS via eval in Number Card filters_config
First Time appeared Frappe
Frappe frappe Framework
Weaknesses CWE-79
CPEs cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*
Vendors & Products Frappe
Frappe frappe Framework
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Frappe Frappe Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-24T15:44:26.768Z

Reserved: 2026-06-05T14:49:25.370Z

Link: CVE-2026-50710

cve-icon Vulnrichment

Updated: 2026-06-24T15:43:30.686Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T17:30:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')