Search

Find a vulnerability

Search criteria

    171 vulnerabilities by frappe

    CVE-2026-55852 (GCVE-0-2026-55852)

    Vulnerability from cvelistv5 – Published: 2026-07-10 21:28 – Updated: 2026-07-10 21:28
    VLAI
    Title
    Frappe: TarSlip RCE in Package Import
    Summary
    Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0.
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.112.0
    Affected: >= 16.0.0-beta.1, < 16.23.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.112.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.0.0-beta.1, \u003c 16.23.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:28:29.445Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-58w2-4cjg-hvp6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-58w2-4cjg-hvp6"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/38716",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/38716"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/40044",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/40044"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/40045",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/40045"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/3c75f13fd7d4441a880dd236450277dc37fcddfd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/3c75f13fd7d4441a880dd236450277dc37fcddfd"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/4772e3e7f72db43d48137af74fa77e5fce903223",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/4772e3e7f72db43d48137af74fa77e5fce903223"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/57e527d933aeffaec0cd735838701792c848e3e7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/57e527d933aeffaec0cd735838701792c848e3e7"
            },
            {
              "name": "https://github.com/frappe/frappe/releases/tag/v15.112.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/releases/tag/v15.112.0"
            },
            {
              "name": "https://github.com/frappe/frappe/releases/tag/v16.23.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/releases/tag/v16.23.0"
            }
          ],
          "source": {
            "advisory": "GHSA-58w2-4cjg-hvp6",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: TarSlip RCE in Package Import"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55852",
        "datePublished": "2026-07-10T21:28:29.445Z",
        "dateReserved": "2026-06-17T16:44:40.995Z",
        "dateUpdated": "2026-07-10T21:28:29.445Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42219 (GCVE-0-2026-42219)

    Vulnerability from cvelistv5 – Published: 2026-07-10 21:26 – Updated: 2026-07-10 21:26
    VLAI
    Title
    Frappe: Path Traversal via /backups Route
    Summary
    Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via download_backups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0.
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.109.0
    Affected: >= 16.0.0-beta.1, < 16.19.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.109.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.0.0-beta.1, \u003c 16.19.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via download_backups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:26:30.005Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-w4p4-fp9m-47gj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-w4p4-fp9m-47gj"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/38740",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/38740"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/39402",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/39402"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/39403",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/39403"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/4358f5bd449710027724a1679950d4ea65da6dcc",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/4358f5bd449710027724a1679950d4ea65da6dcc"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/a470a1189132984635e2ec148f87de5232f5535d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/a470a1189132984635e2ec148f87de5232f5535d"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/a562ef2a5a3885895b9f9cf14d5a53e32e52d326",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/a562ef2a5a3885895b9f9cf14d5a53e32e52d326"
            },
            {
              "name": "https://github.com/frappe/frappe/releases/tag/v15.109.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/releases/tag/v15.109.0"
            },
            {
              "name": "https://github.com/frappe/frappe/releases/tag/v16.19.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/releases/tag/v16.19.0"
            }
          ],
          "source": {
            "advisory": "GHSA-w4p4-fp9m-47gj",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: Path Traversal via /backups Route"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42219",
        "datePublished": "2026-07-10T21:26:30.005Z",
        "dateReserved": "2026-04-25T05:04:37.029Z",
        "dateUpdated": "2026-07-10T21:26:30.005Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49394 (GCVE-0-2026-49394)

    Vulnerability from cvelistv5 – Published: 2026-07-10 21:24 – Updated: 2026-07-10 21:24
    VLAI
    Title
    Frappe: Auth. bypass via update_page
    Summary
    Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 16.19.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.19.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:24:47.624Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-r24j-xrj8-273q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-r24j-xrj8-273q"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/39508",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/39508"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/39526",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/39526"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/2471d94c397dc23301b30ed3bb30353f53b33f2c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/2471d94c397dc23301b30ed3bb30353f53b33f2c"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/6eba29d7ae80cdb4d0b2a245a477b1d2312736ca",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/6eba29d7ae80cdb4d0b2a245a477b1d2312736ca"
            },
            {
              "name": "https://github.com/frappe/frappe/releases/tag/v16.19.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/releases/tag/v16.19.0"
            }
          ],
          "source": {
            "advisory": "GHSA-r24j-xrj8-273q",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: Auth. bypass via update_page"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-49394",
        "datePublished": "2026-07-10T21:24:47.624Z",
        "dateReserved": "2026-05-29T19:08:01.256Z",
        "dateUpdated": "2026-07-10T21:24:47.624Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48127 (GCVE-0-2026-48127)

    Vulnerability from cvelistv5 – Published: 2026-07-10 21:23 – Updated: 2026-07-10 21:23
    VLAI
    Title
    Frappe: Arbitrary Attachment Injection via add_attachments and upload_file
    Summary
    Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API endpoints such as add_attachments. This issue is fixed in versions 16.20.0 and 15.110.0.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.110.0
    Affected: >= 16.0.0-beta.1, < 16.20.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.110.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.0.0-beta.1, \u003c 16.20.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API endpoints such as add_attachments. This issue is fixed in versions 16.20.0 and 15.110.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:23:37.101Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-fwrv-4rw4-97fw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-fwrv-4rw4-97fw"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/39407",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/39407"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/39550",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/39550"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/39553",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/39553"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/4bf27db101c34bd542a760290fc0775efa5cd0e4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/4bf27db101c34bd542a760290fc0775efa5cd0e4"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/b1c86042e6f85986f35365c80bb1d102ff1cd0e4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/b1c86042e6f85986f35365c80bb1d102ff1cd0e4"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/fee1af6d89910f6b174fd094184060aeb641d07d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/fee1af6d89910f6b174fd094184060aeb641d07d"
            },
            {
              "name": "https://github.com/frappe/frappe/releases/tag/v15.110.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/releases/tag/v15.110.0"
            },
            {
              "name": "https://github.com/frappe/frappe/releases/tag/v16.20.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/releases/tag/v16.20.0"
            }
          ],
          "source": {
            "advisory": "GHSA-fwrv-4rw4-97fw",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: Arbitrary Attachment Injection via add_attachments and upload_file"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48127",
        "datePublished": "2026-07-10T21:23:37.101Z",
        "dateReserved": "2026-05-20T18:46:58.292Z",
        "dateUpdated": "2026-07-10T21:23:37.101Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41482 (GCVE-0-2026-41482)

    Vulnerability from cvelistv5 – Published: 2026-07-10 21:20 – Updated: 2026-07-10 21:20
    VLAI
    Title
    Frappe: Possible Path Traversal and Local File Inclusion via Chrome PDF Generator
    Summary
    Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in the Chrome PDF Generator. This issue is fixed in version 16.18.3.
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 16.18.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.18.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in the Chrome PDF Generator. This issue is fixed in version 16.18.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:20:36.507Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-234v-jfr8-v2f8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-234v-jfr8-v2f8"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/38643",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/38643"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/39396",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/39396"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/11066591ed7aa91a7b742f3f689277a90e620ce0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/11066591ed7aa91a7b742f3f689277a90e620ce0"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/46841f7fde3954e1d3b3a7e248a6d6022343e657",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/46841f7fde3954e1d3b3a7e248a6d6022343e657"
            },
            {
              "name": "https://github.com/frappe/frappe/releases/tag/v16.18.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/releases/tag/v16.18.3"
            }
          ],
          "source": {
            "advisory": "GHSA-234v-jfr8-v2f8",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: Possible Path Traversal and Local File Inclusion via Chrome PDF Generator"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41482",
        "datePublished": "2026-07-10T21:20:36.507Z",
        "dateReserved": "2026-04-20T16:14:19.006Z",
        "dateUpdated": "2026-07-10T21:20:36.507Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47199 (GCVE-0-2026-47199)

    Vulnerability from cvelistv5 – Published: 2026-07-10 21:14 – Updated: 2026-07-10 21:14
    VLAI
    Title
    Frappe: check_safe_sql_query Permits SELECT INTO OUTFILE
    Summary
    Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, check_safe_sql_query permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites if database permissions are not well aligned and MySQL FILE privileges are available. This issue is fixed in versions 16.18.3 and 15.108.0.
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.108.0
    Affected: >= 16.0.0-beta.1, < 16.18.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.108.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.0.0-beta.1, \u003c 16.18.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, check_safe_sql_query permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites if database permissions are not well aligned and MySQL FILE privileges are available. This issue is fixed in versions 16.18.3 and 15.108.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:14:12.195Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-wx8j-cw4r-vrhv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-wx8j-cw4r-vrhv"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/39345",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/39345"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/39346",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/39346"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/628e103f7ffe307447d9fc9e2c572cbddedfa3b5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/628e103f7ffe307447d9fc9e2c572cbddedfa3b5"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/91d3ded038d1c901b73f4a2293e134d691c1662d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/91d3ded038d1c901b73f4a2293e134d691c1662d"
            },
            {
              "name": "https://github.com/frappe/frappe/releases/tag/v15.108.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/releases/tag/v15.108.0"
            },
            {
              "name": "https://github.com/frappe/frappe/releases/tag/v16.18.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/releases/tag/v16.18.3"
            }
          ],
          "source": {
            "advisory": "GHSA-wx8j-cw4r-vrhv",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: check_safe_sql_query Permits SELECT INTO OUTFILE"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47199",
        "datePublished": "2026-07-10T21:14:12.195Z",
        "dateReserved": "2026-05-18T22:07:37.436Z",
        "dateUpdated": "2026-07-10T21:14:12.195Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58503 (GCVE-0-2026-58503)

    Vulnerability from cvelistv5 – Published: 2026-07-10 21:12 – Updated: 2026-07-10 21:12
    VLAI
    Title
    Frappe: Unauthenticated User Enumeration via reset_password
    Summary
    Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the reset_password endpoint. This issue is fixed in versions 16.16.0 and 15.106.0.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.106.0
    Affected: >= 16.0.0-beta1, < 16.16.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.106.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.0.0-beta1, \u003c 16.16.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the reset_password endpoint. This issue is fixed in versions 16.16.0 and 15.106.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-203",
                  "description": "CWE-203: Observable Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:12:28.742Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-3vqc-c545-w7jg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-3vqc-c545-w7jg"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/38625",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/38625"
            },
            {
              "name": "https://github.com/frappe/frappe/pull/38626",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/pull/38626"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/1ff64d4a67f9a6d8819ac059dc69f023fb9ea264",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/1ff64d4a67f9a6d8819ac059dc69f023fb9ea264"
            },
            {
              "name": "https://github.com/frappe/frappe/commit/d3becf5672cbb5c7150447161941aeebeeb84ae8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/commit/d3becf5672cbb5c7150447161941aeebeeb84ae8"
            },
            {
              "name": "https://github.com/frappe/frappe/releases/tag/v15.106.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/releases/tag/v15.106.0"
            },
            {
              "name": "https://github.com/frappe/frappe/releases/tag/v16.16.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/frappe/frappe/releases/tag/v16.16.0"
            }
          ],
          "source": {
            "advisory": "GHSA-3vqc-c545-w7jg",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: Unauthenticated User Enumeration via reset_password"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58503",
        "datePublished": "2026-07-10T21:12:28.742Z",
        "dateReserved": "2026-06-30T20:21:25.813Z",
        "dateUpdated": "2026-07-10T21:12:28.742Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47422 (GCVE-0-2026-47422)

    Vulnerability from cvelistv5 – Published: 2026-07-10 21:09 – Updated: 2026-07-10 21:09
    VLAI
    Title
    Frappe: Unrestricted API access to save_report
    Summary
    Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been fixed. This vulnerability is fixed in 15.107.5 and 16.18.2.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.107.5
    Affected: >= 16.0.0-beta.1, < 6.18.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.107.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.0.0-beta.1, \u003c 6.18.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been fixed. This vulnerability is fixed in 15.107.5 and 16.18.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:09:58.177Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-w8g7-j846-j248",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-w8g7-j846-j248"
            }
          ],
          "source": {
            "advisory": "GHSA-w8g7-j846-j248",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: Unrestricted API access to save_report"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47422",
        "datePublished": "2026-07-10T21:09:58.177Z",
        "dateReserved": "2026-05-19T19:37:43.526Z",
        "dateUpdated": "2026-07-10T21:09:58.177Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50712 (GCVE-0-2026-50712)

    Vulnerability from cvelistv5 – Published: 2026-06-24 15:26 – Updated: 2026-06-24 15:38
    VLAI
    Title
    Frappe Framework 17.0.0-dev - Stored XSS in Tree View node label rendering
    Summary
    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.ui.Tree component
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Frappe Frappe Framework Affected: 17.0.0-dev
    Create a notification for this product.
    Credits
    Fluid Attacks' AI SAST Scanner Oscar Uribe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50712",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T15:38:16.877100Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:38:21.291Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://fluidattacks.com/es/advisories/misfits"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "Frappe Framework",
              "vendor": "Frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.0-dev"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Uribe"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.ui.Tree component\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.ui.Tree component"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T15:26:54.413Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/misfits"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/frappe/frappe"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Frappe Framework 17.0.0-dev - Stored XSS in Tree View node label rendering",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-50712",
        "datePublished": "2026-06-24T15:26:54.413Z",
        "dateReserved": "2026-06-05T14:49:25.370Z",
        "dateUpdated": "2026-06-24T15:38:21.291Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50711 (GCVE-0-2026-50711)

    Vulnerability from cvelistv5 – Published: 2026-06-24 15:18 – Updated: 2026-06-24 15:42
    VLAI
    Title
    Frappe Framework 17.0.0-dev - Stored XSS in Number Card filter fields rendering
    Summary
    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Frappe Frappe Framework Affected: 17.0.0-dev
    Create a notification for this product.
    Credits
    Fluid Attacks' AI SAST Scanner Oscar Uribe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50711",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T15:42:35.460125Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:42:49.926Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://fluidattacks.com/es/advisories/disturbed"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "Frappe Framework",
              "repo": "https://github.com/frappe/frappe",
              "vendor": "Frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.0-dev"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Uribe"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component. \u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T15:18:43.359Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/disturbed"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/frappe/frappe"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Frappe Framework 17.0.0-dev - Stored XSS in Number Card filter fields rendering",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-50711",
        "datePublished": "2026-06-24T15:18:43.359Z",
        "dateReserved": "2026-06-05T14:49:25.370Z",
        "dateUpdated": "2026-06-24T15:42:49.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50710 (GCVE-0-2026-50710)

    Vulnerability from cvelistv5 – Published: 2026-06-24 15:08 – Updated: 2026-06-24 15:44
    VLAI
    Title
    Frappe Framework 17.0.0-dev - Stored XSS via eval in Number Card filters_config
    Summary
    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Frappe Frappe Framework Affected: 17.0.0-dev
    Create a notification for this product.
    Credits
    Fluid Attacks' AI SAST Scanner Oscar Uribe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50710",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T15:43:45.566286Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:44:26.768Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://fluidattacks.com/es/advisories/sum41"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "Frappe Framework",
              "vendor": "Frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.0-dev"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Uribe"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component. \u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T15:08:41.416Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/sum41"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/frappe/frappe"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Frappe Framework 17.0.0-dev - Stored XSS via eval in Number Card filters_config",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-50710",
        "datePublished": "2026-06-24T15:08:41.416Z",
        "dateReserved": "2026-06-05T14:49:25.370Z",
        "dateUpdated": "2026-06-24T15:44:26.768Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50709 (GCVE-0-2026-50709)

    Vulnerability from cvelistv5 – Published: 2026-06-24 15:04 – Updated: 2026-06-24 15:44
    VLAI
    Title
    Frappe Framework 17.0.0-dev - Stored XSS in Notifications Events color rendering
    Summary
    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications > Events panel.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Frappe Frappe Framework Affected: 17.0.0-dev
    Create a notification for this product.
    Credits
    Fluid Attacks' AI SAST Scanner Oscar Uribe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50709",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T15:44:56.401711Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:44:59.251Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://fluidattacks.com/es/advisories/journey"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "Frappe Framework",
              "repo": "https://github.com/frappe/frappe",
              "vendor": "Frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.0-dev"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Uribe"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications \u0026gt; Events panel.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications \u003e Events panel."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T15:04:39.793Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/journey"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/frappe/frappe"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Frappe Framework 17.0.0-dev - Stored XSS in Notifications Events color rendering",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-50709",
        "datePublished": "2026-06-24T15:04:39.793Z",
        "dateReserved": "2026-06-05T14:49:25.370Z",
        "dateUpdated": "2026-06-24T15:44:59.251Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50708 (GCVE-0-2026-50708)

    Vulnerability from cvelistv5 – Published: 2026-06-24 14:58 – Updated: 2026-06-24 15:47
    VLAI
    Title
    Frappe Framework 17.0.0-dev - Stored XSS in Multi Select Dialog result rendering
    Summary
    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Frappe Frappe Framework Affected: 17.0.0-dev
    Create a notification for this product.
    Credits
    Fluid Attacks' AI SAST Scanner Oscar Uribe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50708",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T15:45:53.899182Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:47:02.132Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://fluidattacks.com/es/advisories/extremoduro"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "Frappe Framework",
              "repo": "https://github.com/frappe/frappe",
              "vendor": "Frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.0-dev"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Uribe"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T14:58:51.624Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/extremoduro"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/frappe/frappe"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Frappe Framework 17.0.0-dev - Stored XSS in Multi Select Dialog result rendering",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-50708",
        "datePublished": "2026-06-24T14:58:51.624Z",
        "dateReserved": "2026-06-05T14:49:25.369Z",
        "dateUpdated": "2026-06-24T15:47:02.132Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50705 (GCVE-0-2026-50705)

    Vulnerability from cvelistv5 – Published: 2026-06-24 14:51 – Updated: 2026-06-24 15:47
    VLAI
    Title
    Frappe Framework 17.0.0-dev - Stored XSS in Form Dashboard headline rendering
    Summary
    A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Frappe Frappe Framework Affected: 17.0.0-dev
    Create a notification for this product.
    Credits
    Fluid Attacks' AI SAST Scanner Oscar Uribe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50705",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T15:47:32.423824Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:47:54.787Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://fluidattacks.com/es/advisories/aterciopelados"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "Frappe Framework",
              "vendor": "Frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.0-dev"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Uribe"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T14:51:29.034Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/aterciopelados"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/frappe/frappe"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Frappe Framework 17.0.0-dev - Stored XSS in Form Dashboard headline rendering",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-50705",
        "datePublished": "2026-06-24T14:51:29.034Z",
        "dateReserved": "2026-06-05T14:49:25.369Z",
        "dateUpdated": "2026-06-24T15:47:54.787Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50704 (GCVE-0-2026-50704)

    Vulnerability from cvelistv5 – Published: 2026-06-24 14:46 – Updated: 2026-06-24 15:48
    VLAI
    Title
    Frappe Framework 17.0.0-dev - Reflected/Stored XSS in File View breadcrumbs rendering
    Summary
    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Frappe Frappe Framework Affected: 17.0.0-dev
    Create a notification for this product.
    Credits
    Fluid Attacks' AI SAST Scanner Oscar Uribe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50704",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T15:48:15.033132Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:48:38.475Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://fluidattacks.com/es/advisories/molotov"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "Frappe Framework",
              "repo": "https://github.com/frappe/frappe",
              "vendor": "Frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.0-dev"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Uribe"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer. \u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T14:46:38.275Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/molotov"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/frappe/frappe"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Frappe Framework 17.0.0-dev - Reflected/Stored XSS in File View breadcrumbs rendering",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-50704",
        "datePublished": "2026-06-24T14:46:38.275Z",
        "dateReserved": "2026-06-05T14:49:25.369Z",
        "dateUpdated": "2026-06-24T15:48:38.475Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50703 (GCVE-0-2026-50703)

    Vulnerability from cvelistv5 – Published: 2026-06-24 14:42 – Updated: 2026-06-24 15:49
    VLAI
    Title
    Frappe Framework 17.0.0-dev - Stored XSS in Desktop Icon label rendering
    Summary
    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Frappe Frappe Framework Affected: 17.0.0-dev
    Create a notification for this product.
    Credits
    Fluid Attacks' AI SAST Scanner Oscar Uribe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50703",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T15:49:16.406474Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:49:22.561Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "Frappe Framework",
              "repo": "https://github.com/frappe/frappe",
              "vendor": "Frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.0-dev"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Uribe"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer.\u003c/p\u003e"
                }
              ],
              "value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T14:42:09.075Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/soja"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/frappe/frappe"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Frappe Framework 17.0.0-dev - Stored XSS in Desktop Icon label rendering",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-50703",
        "datePublished": "2026-06-24T14:42:09.075Z",
        "dateReserved": "2026-06-05T14:49:25.369Z",
        "dateUpdated": "2026-06-24T15:49:22.561Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50701 (GCVE-0-2026-50701)

    Vulnerability from cvelistv5 – Published: 2026-06-24 14:33 – Updated: 2026-06-24 15:49
    VLAI
    Title
    Frappe Framework 17.0.0-dev - Reflected DOM XSS in dashboard-view breadcrumb rendering
    Summary
    A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Frappe Frappe Framework Affected: 17.0.0-dev
    Create a notification for this product.
    Credits
    Fluid Attacks' AI SAST Scanner Oscar Uribe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50701",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T15:49:49.712333Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:49:55.677Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "Frappe Framework",
              "repo": "https://github.com/frappe/frappe",
              "vendor": "Frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.0-dev"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Uribe"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-591",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-591 Reflected XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T14:33:09.315Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/nena"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/frappe/frappe"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Frappe Framework 17.0.0-dev - Reflected DOM XSS in dashboard-view breadcrumb rendering",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-50701",
        "datePublished": "2026-06-24T14:33:09.315Z",
        "dateReserved": "2026-06-05T14:49:25.369Z",
        "dateUpdated": "2026-06-24T15:49:55.677Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50700 (GCVE-0-2026-50700)

    Vulnerability from cvelistv5 – Published: 2026-06-24 14:27 – Updated: 2026-06-24 15:50
    VLAI
    Title
    Frappe Framework 17.0.0-dev - Stored XSS in frappe.get_avatar image rendering
    Summary
    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Frappe Frappe Framework Affected: 17.0.0-dev
    Create a notification for this product.
    Credits
    Fluid Attacks' AI SAST Scanner Oscar Uribe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50700",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T15:50:15.340970Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:50:40.350Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "Linux",
                "MacOS"
              ],
              "product": "Frappe Framework",
              "repo": "https://github.com/frappe/frappe",
              "vendor": "Frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.0-dev"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Uribe"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T14:27:06.382Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/caligaris"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/frappe/frappe"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Frappe Framework 17.0.0-dev - Stored XSS in frappe.get_avatar image rendering",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-50700",
        "datePublished": "2026-06-24T14:27:06.382Z",
        "dateReserved": "2026-06-05T14:49:25.369Z",
        "dateUpdated": "2026-06-24T15:50:40.350Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50699 (GCVE-0-2026-50699)

    Vulnerability from cvelistv5 – Published: 2026-06-24 14:20 – Updated: 2026-06-24 14:45
    VLAI
    Title
    Frappe Framework 17.0.0-dev - Stored XSS in Auto Repeat dashboard schedule rendering
    Summary
    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users open the affected Auto Repeat form.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Frappe Frappe Framework Affected: 17.0.0-dev
    Create a notification for this product.
    Credits
    Fluid Attacks' AI SAST Scanner Oscar Uribe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50699",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T14:45:44.122490Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T14:45:48.861Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://fluidattacks.com/es/advisories/monkeys"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "Linux",
                "MacOS"
              ],
              "product": "Frappe Framework",
              "vendor": "Frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.0-dev"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Uribe"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to \u003c/span\u003e\u003ccode\u003eAuto Repeat\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e can persist HTML/JavaScript in \u003c/span\u003e\u003ccode\u003ereference_document\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e using a whitelisted write path and trigger script execution when users open the affected \u003c/span\u003e\u003ccode\u003eAuto Repeat\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e form.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users open the affected Auto Repeat form."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T14:20:31.447Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/monkeys"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/frappe/frappe"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Frappe Framework 17.0.0-dev - Stored XSS in Auto Repeat dashboard schedule rendering",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-50699",
        "datePublished": "2026-06-24T14:20:31.447Z",
        "dateReserved": "2026-06-05T14:49:25.369Z",
        "dateUpdated": "2026-06-24T14:45:48.861Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50698 (GCVE-0-2026-50698)

    Vulnerability from cvelistv5 – Published: 2026-06-24 14:17 – Updated: 2026-06-24 14:48
    VLAI
    Title
    Frappe Framework 17.0.0-dev - Stored XSS in Audit Trail template rendering
    Summary
    A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Frappe Frappe Framework Affected: 17.0.0-dev
    Create a notification for this product.
    Credits
    Fluid Attacks' AI SAST Scanner Oscar Uribe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50698",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T14:48:09.932212Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T14:48:14.522Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://fluidattacks.com/es/advisories/rufus"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "Linux",
                "MacOS"
              ],
              "product": "Frappe Framework",
              "repo": "https://github.com/frappe/frappe",
              "vendor": "Frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.0-dev"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fluid Attacks\u0027 AI SAST Scanner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Oscar Uribe"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component.\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T14:17:03.455Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://fluidattacks.com/es/advisories/rufus"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/frappe/frappe"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Frappe Framework 17.0.0-dev - Stored XSS in Audit Trail template rendering",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2026-50698",
        "datePublished": "2026-06-24T14:17:03.455Z",
        "dateReserved": "2026-06-05T14:49:25.369Z",
        "dateUpdated": "2026-06-24T14:48:14.522Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53568 (GCVE-0-2026-53568)

    Vulnerability from cvelistv5 – Published: 2026-06-12 14:45 – Updated: 2026-06-12 16:08
    VLAI
    Title
    Frappe: Stored XSS in Frappe Report/List View via 'set_link_title_field_value'
    Summary
    Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.107.2
    Affected: < 16.17.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53568",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T16:08:16.906442Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T16:08:22.842Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.107.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 16.17.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T14:45:11.531Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-rx63-c3fh-8926",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-rx63-c3fh-8926"
            }
          ],
          "source": {
            "advisory": "GHSA-rx63-c3fh-8926",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: Stored XSS in Frappe Report/List View via \u0027set_link_title_field_value\u0027"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53568",
        "datePublished": "2026-06-12T14:45:11.531Z",
        "dateReserved": "2026-06-09T19:11:53.483Z",
        "dateUpdated": "2026-06-12T16:08:22.842Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50026 (GCVE-0-2026-50026)

    Vulnerability from cvelistv5 – Published: 2026-06-12 14:43 – Updated: 2026-06-12 16:07
    VLAI
    Title
    Frappe: Lack of permissions checks in 'relink' and 'set_email_password' endpoints
    Summary
    Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.107.0
    Affected: < 16.17.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50026",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T16:07:10.483294Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T16:07:17.900Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.107.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 16.17.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T14:43:41.190Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-q6m6-759h-46jp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-q6m6-759h-46jp"
            }
          ],
          "source": {
            "advisory": "GHSA-q6m6-759h-46jp",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: Lack of permissions checks in \u0027relink\u0027 and \u0027set_email_password\u0027 endpoints"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50026",
        "datePublished": "2026-06-12T14:43:41.190Z",
        "dateReserved": "2026-06-02T22:46:02.580Z",
        "dateUpdated": "2026-06-12T16:07:17.900Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47182 (GCVE-0-2026-47182)

    Vulnerability from cvelistv5 – Published: 2026-06-12 14:39 – Updated: 2026-06-12 16:26
    VLAI
    Title
    Frappe: Broken Access Control on Private Files
    Summary
    Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 16.17.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47182",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T16:26:47.239754Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T16:26:53.911Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.17.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T14:39:57.995Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-gvg7-4p32-j648",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-gvg7-4p32-j648"
            }
          ],
          "source": {
            "advisory": "GHSA-gvg7-4p32-j648",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: Broken Access Control on Private Files"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47182",
        "datePublished": "2026-06-12T14:39:57.995Z",
        "dateReserved": "2026-05-18T22:07:37.434Z",
        "dateUpdated": "2026-06-12T16:26:53.911Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44976 (GCVE-0-2026-44976)

    Vulnerability from cvelistv5 – Published: 2026-06-12 14:38 – Updated: 2026-06-12 15:57
    VLAI
    Title
    Frappe: IDOR in update_onboarding_step
    Summary
    Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 16.17.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44976",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:57:49.083034Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:57:57.457Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 16.17.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T14:38:00.385Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-78rj-jch8-42m8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-78rj-jch8-42m8"
            }
          ],
          "source": {
            "advisory": "GHSA-78rj-jch8-42m8",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: IDOR in update_onboarding_step"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44976",
        "datePublished": "2026-06-12T14:38:00.385Z",
        "dateReserved": "2026-05-08T16:23:33.264Z",
        "dateUpdated": "2026-06-12T15:57:57.457Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44975 (GCVE-0-2026-44975)

    Vulnerability from cvelistv5 – Published: 2026-06-12 14:35 – Updated: 2026-06-12 16:43
    VLAI
    Title
    Frappe: Missing authorization on reset form tours
    Summary
    Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.107.2
    Affected: < 16.17.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44975",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T16:43:43.624122Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T16:43:56.354Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.107.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 16.17.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T14:35:55.444Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-9cxj-48g3-jx22",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-9cxj-48g3-jx22"
            }
          ],
          "source": {
            "advisory": "GHSA-9cxj-48g3-jx22",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: Missing authorization on reset form tours"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44975",
        "datePublished": "2026-06-12T14:35:55.444Z",
        "dateReserved": "2026-05-08T16:23:33.264Z",
        "dateUpdated": "2026-06-12T16:43:56.354Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44206 (GCVE-0-2026-44206)

    Vulnerability from cvelistv5 – Published: 2026-06-12 14:34 – Updated: 2026-06-12 15:58
    VLAI
    Title
    Frappe: DB Schema Enumeration via Frappe-Authorization-Source
    Summary
    Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.107.2
    Affected: < 16.17.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44206",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:58:18.706598Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:58:30.973Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.107.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 16.17.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T14:34:00.833Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-9c55-cq5r-qj5x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-9c55-cq5r-qj5x"
            }
          ],
          "source": {
            "advisory": "GHSA-9c55-cq5r-qj5x",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: DB Schema Enumeration via Frappe-Authorization-Source"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44206",
        "datePublished": "2026-06-12T14:34:00.833Z",
        "dateReserved": "2026-05-05T15:13:47.571Z",
        "dateUpdated": "2026-06-12T15:58:30.973Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44207 (GCVE-0-2026-44207)

    Vulnerability from cvelistv5 – Published: 2026-06-12 14:27 – Updated: 2026-06-12 16:28
    VLAI
    Title
    Frappe: Insecure Direct Object Reference for email accounts
    Summary
    Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.107.0
    Affected: < 16.17.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44207",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T16:27:49.988409Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T16:28:29.384Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.107.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 16.17.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users\u0027 email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T14:27:58.128Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-cw6v-39qx-7r74",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-cw6v-39qx-7r74"
            }
          ],
          "source": {
            "advisory": "GHSA-cw6v-39qx-7r74",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: Insecure Direct Object Reference for email accounts"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44207",
        "datePublished": "2026-06-12T14:27:58.128Z",
        "dateReserved": "2026-05-05T15:13:47.571Z",
        "dateUpdated": "2026-06-12T16:28:29.384Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44208 (GCVE-0-2026-44208)

    Vulnerability from cvelistv5 – Published: 2026-06-12 14:26 – Updated: 2026-06-13 03:14
    VLAI
    Title
    Frappe: IDOR in `submit_discussion()`
    Summary
    Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.107.0
    Affected: < 16.17.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44208",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-13T03:13:21.423395Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-13T03:14:01.435Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.107.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 16.17.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the \"submit_discussion()\" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T14:26:17.323Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-xh7m-j2j2-82f2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-xh7m-j2j2-82f2"
            }
          ],
          "source": {
            "advisory": "GHSA-xh7m-j2j2-82f2",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: IDOR in `submit_discussion()`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44208",
        "datePublished": "2026-06-12T14:26:17.323Z",
        "dateReserved": "2026-05-05T15:13:47.571Z",
        "dateUpdated": "2026-06-13T03:14:01.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44205 (GCVE-0-2026-44205)

    Vulnerability from cvelistv5 – Published: 2026-06-12 14:23 – Updated: 2026-06-12 16:02
    VLAI
    Title
    Frappe: Stored Cross-Site Scripting (XSS) in User Profile through Image Upload
    Summary
    Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.106.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44205",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T16:02:26.214512Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T16:02:36.022Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.106.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T14:23:45.308Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-2wx6-8gmq-x4fw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-2wx6-8gmq-x4fw"
            }
          ],
          "source": {
            "advisory": "GHSA-2wx6-8gmq-x4fw",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe: Stored Cross-Site Scripting (XSS) in User Profile through Image Upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44205",
        "datePublished": "2026-06-12T14:23:45.308Z",
        "dateReserved": "2026-05-05T15:13:47.571Z",
        "dateUpdated": "2026-06-12T16:02:36.022Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41581 (GCVE-0-2026-41581)

    Vulnerability from cvelistv5 – Published: 2026-06-12 14:22 – Updated: 2026-06-12 14:56
    VLAI
    Title
    Frappe Vulnerable to Possible SQL Injection via get_blog_list
    Summary
    Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, there is a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    frappe frappe Affected: < 15.106.0
    Affected: < 16.16.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41581",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T14:56:39.556744Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T14:56:53.836Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frappe",
              "vendor": "frappe",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 15.106.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 16.16.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, there is a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T14:22:46.804Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/frappe/frappe/security/advisories/GHSA-h9hf-57r4-cm65",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/frappe/frappe/security/advisories/GHSA-h9hf-57r4-cm65"
            }
          ],
          "source": {
            "advisory": "GHSA-h9hf-57r4-cm65",
            "discovery": "UNKNOWN"
          },
          "title": "Frappe Vulnerable to Possible SQL Injection via get_blog_list"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41581",
        "datePublished": "2026-06-12T14:22:46.804Z",
        "dateReserved": "2026-04-21T14:15:21.958Z",
        "dateUpdated": "2026-06-12T14:56:53.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }