Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component.
Published: 2026-06-24
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Stored Cross‑Site Scripting flaw allows untrusted users to inject malicious scripts into the Number Card component of Frappe Framework 17.0.0‑dev. The script is stored and later rendered in the browser when a user accesses a dashboard that contains a Number Card filter field. Attackers could steal session cookies, deface the site, or perform other client‑side attacks through this flaw, consistent with CWE‑79.

Affected Systems

The vulnerability affects Frappe Framework 17.0.0‑dev on Linux, macOS, and Windows platforms.

Risk and Exploitability

The CVSS score of 4.6 indicates a low severity, and no EPSS score is available, suggesting limited exploitation data. The flaw is not listed in the CISA KEV catalog. Likely exploitation requires legitimate access that permits the attacker to input data into the Number Card filter fields, after which any user who views that dashboard will execute the injected script.

Generated by OpenCVE AI on June 24, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe Framework to a version where the Number Card component has correct input sanitization.
  • If an immediate upgrade is not possible, disable or remove the Number Card filter functionality to prevent injection.
  • Validate and escape all user‑provided input to filter fields before rendering to mitigate XSS.

Generated by OpenCVE AI on June 24, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component.
Title Frappe Framework 17.0.0-dev - Stored XSS in Number Card filter fields rendering
First Time appeared Frappe
Frappe frappe Framework
Weaknesses CWE-79
CPEs cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*
cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*
Vendors & Products Frappe
Frappe frappe Framework
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Frappe Frappe Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-24T15:42:49.926Z

Reserved: 2026-06-05T14:49:25.370Z

Link: CVE-2026-50711

cve-icon Vulnrichment

Updated: 2026-06-24T15:42:13.788Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:15:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')