Description
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the Frappe framework’s report and list view functionality. The vulnerability is triggered when the field set_link_title_field_value contains unencoded JavaScript, allowing an attacker to embed malicious code that runs in the browsers of any user who views the affected report or list. The flaw is classified as CWE‑79 and can lead to theft of session cookies, credential hijacking, or arbitrary script execution on client machines.

Affected Systems

All versions of the Frappe full‑stack web application framework released before 15.107.2 and 16.17.4 are affected. Those builds are vulnerable to the stored XSS flaw in the report and list view components.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate risk, while the EPSS score of less than 1 % suggests a low likelihood of exploitation at the time of assessment. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that exploitation requires an authenticated user with permission to edit report or list configurations to inject malicious data; after injection, any user who views the report will execute the stored code in their browsers.

Generated by OpenCVE AI on June 12, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Frappe v15.107.2 or v16.17.4 or any later release.
  • If an immediate upgrade is not feasible, remove or neutralize any custom report or list view configuration that uses the set_link_title_field_value field, or replace it with a sanitized configuration that does not embed executable script.
  • Ensure that all user‑supplied input for link titles is properly encoded before rendering, following OWASP XSS prevention guidelines to mitigate any residual risk.

Generated by OpenCVE AI on June 12, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4.
Title Frappe: Stored XSS in Frappe Report/List View via 'set_link_title_field_value'
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:08:22.842Z

Reserved: 2026-06-09T19:11:53.483Z

Link: CVE-2026-53568

cve-icon Vulnrichment

Updated: 2026-06-12T16:08:19.061Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T16:16:33.810

Modified: 2026-06-12T16:17:58.070

Link: CVE-2026-53568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T17:45:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')