A stored cross‑site scripting flaw exists in Frappe Framework version 17.0.0‑dev due to failure to neutralize user‑controlled input when rendering node labels in the frappe.ui.Tree component. The vulnerability allows an attacker to insert arbitrary script code that is stored on the server and later executed within the victim's web browser when the tree view is rendered, potentially leading to session hijacking, defacement, or malicious data exfiltration. The flaw is identified as CWE‑79 and carries a CVSS score of 4.8, indicating a moderate severity for a web‑based stored XSS.

The affected product is Frappe Framework 17.0.0‑dev across all supported operating systems, including Linux, macOS, and Windows. All installations that use the Tree UI component for rendering hierarchical data are impacted, especially where user‑supplied labels are displayed without proper sanitization.

The risk is modest due to the CVSS score; however the EPSS score is not available, so the likelihood of exploitation is unclear. The vulnerability is not listed in the CISA KEV catalog. Exploitation would typically occur when an attacker has the capability to create or modify tree node labels—either through authenticated access to an administrative interface or via a publicly exposed API that permits label changes. Once injected script is executed, it runs in the context of the current user session, enabling an attacker to compromise that user's privileges or gather sensitive information. The attack vector is inferred to be a web‑based interface that accepts label input, and the attacker must be able to inject payloads that survive server‑side storage and client‑side rendering.