Search
Find a vulnerability
Search criteria
171 vulnerabilities by frappe
CVE-2026-55852 (GCVE-0-2026-55852)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:28 – Updated: 2026-07-10 21:28
VLAI
EPSS
VEX
Title
Frappe: TarSlip RCE in Package Import
Summary
Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0.
Severity
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
| https://github.com/frappe/frappe/pull/38716 | x_refsource_MISC |
| https://github.com/frappe/frappe/pull/40044 | x_refsource_MISC |
| https://github.com/frappe/frappe/pull/40045 | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/3c75f13fd… | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/4772e3e7f… | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/57e527d93… | x_refsource_MISC |
| https://github.com/frappe/frappe/releases/tag/v15.112.0 | x_refsource_MISC |
| https://github.com/frappe/frappe/releases/tag/v16.23.0 | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.112.0"
},
{
"status": "affected",
"version": "\u003e= 16.0.0-beta.1, \u003c 16.23.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:28:29.445Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-58w2-4cjg-hvp6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-58w2-4cjg-hvp6"
},
{
"name": "https://github.com/frappe/frappe/pull/38716",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/38716"
},
{
"name": "https://github.com/frappe/frappe/pull/40044",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/40044"
},
{
"name": "https://github.com/frappe/frappe/pull/40045",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/40045"
},
{
"name": "https://github.com/frappe/frappe/commit/3c75f13fd7d4441a880dd236450277dc37fcddfd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/3c75f13fd7d4441a880dd236450277dc37fcddfd"
},
{
"name": "https://github.com/frappe/frappe/commit/4772e3e7f72db43d48137af74fa77e5fce903223",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/4772e3e7f72db43d48137af74fa77e5fce903223"
},
{
"name": "https://github.com/frappe/frappe/commit/57e527d933aeffaec0cd735838701792c848e3e7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/57e527d933aeffaec0cd735838701792c848e3e7"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v15.112.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v15.112.0"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v16.23.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v16.23.0"
}
],
"source": {
"advisory": "GHSA-58w2-4cjg-hvp6",
"discovery": "UNKNOWN"
},
"title": "Frappe: TarSlip RCE in Package Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55852",
"datePublished": "2026-07-10T21:28:29.445Z",
"dateReserved": "2026-06-17T16:44:40.995Z",
"dateUpdated": "2026-07-10T21:28:29.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42219 (GCVE-0-2026-42219)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:26 – Updated: 2026-07-10 21:26
VLAI
EPSS
VEX
Title
Frappe: Path Traversal via /backups Route
Summary
Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via download_backups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0.
Severity
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
| https://github.com/frappe/frappe/pull/38740 | x_refsource_MISC |
| https://github.com/frappe/frappe/pull/39402 | x_refsource_MISC |
| https://github.com/frappe/frappe/pull/39403 | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/4358f5bd4… | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/a470a1189… | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/a562ef2a5… | x_refsource_MISC |
| https://github.com/frappe/frappe/releases/tag/v15.109.0 | x_refsource_MISC |
| https://github.com/frappe/frappe/releases/tag/v16.19.0 | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.109.0"
},
{
"status": "affected",
"version": "\u003e= 16.0.0-beta.1, \u003c 16.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via download_backups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:26:30.005Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-w4p4-fp9m-47gj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-w4p4-fp9m-47gj"
},
{
"name": "https://github.com/frappe/frappe/pull/38740",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/38740"
},
{
"name": "https://github.com/frappe/frappe/pull/39402",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/39402"
},
{
"name": "https://github.com/frappe/frappe/pull/39403",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/39403"
},
{
"name": "https://github.com/frappe/frappe/commit/4358f5bd449710027724a1679950d4ea65da6dcc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/4358f5bd449710027724a1679950d4ea65da6dcc"
},
{
"name": "https://github.com/frappe/frappe/commit/a470a1189132984635e2ec148f87de5232f5535d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/a470a1189132984635e2ec148f87de5232f5535d"
},
{
"name": "https://github.com/frappe/frappe/commit/a562ef2a5a3885895b9f9cf14d5a53e32e52d326",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/a562ef2a5a3885895b9f9cf14d5a53e32e52d326"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v15.109.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v15.109.0"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v16.19.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v16.19.0"
}
],
"source": {
"advisory": "GHSA-w4p4-fp9m-47gj",
"discovery": "UNKNOWN"
},
"title": "Frappe: Path Traversal via /backups Route"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42219",
"datePublished": "2026-07-10T21:26:30.005Z",
"dateReserved": "2026-04-25T05:04:37.029Z",
"dateUpdated": "2026-07-10T21:26:30.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49394 (GCVE-0-2026-49394)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:24 – Updated: 2026-07-10 21:24
VLAI
EPSS
VEX
Title
Frappe: Auth. bypass via update_page
Summary
Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0.
Severity
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
| https://github.com/frappe/frappe/pull/39508 | x_refsource_MISC |
| https://github.com/frappe/frappe/pull/39526 | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/2471d94c3… | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/6eba29d7a… | x_refsource_MISC |
| https://github.com/frappe/frappe/releases/tag/v16.19.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 16.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:24:47.624Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-r24j-xrj8-273q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-r24j-xrj8-273q"
},
{
"name": "https://github.com/frappe/frappe/pull/39508",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/39508"
},
{
"name": "https://github.com/frappe/frappe/pull/39526",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/39526"
},
{
"name": "https://github.com/frappe/frappe/commit/2471d94c397dc23301b30ed3bb30353f53b33f2c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/2471d94c397dc23301b30ed3bb30353f53b33f2c"
},
{
"name": "https://github.com/frappe/frappe/commit/6eba29d7ae80cdb4d0b2a245a477b1d2312736ca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/6eba29d7ae80cdb4d0b2a245a477b1d2312736ca"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v16.19.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v16.19.0"
}
],
"source": {
"advisory": "GHSA-r24j-xrj8-273q",
"discovery": "UNKNOWN"
},
"title": "Frappe: Auth. bypass via update_page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49394",
"datePublished": "2026-07-10T21:24:47.624Z",
"dateReserved": "2026-05-29T19:08:01.256Z",
"dateUpdated": "2026-07-10T21:24:47.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48127 (GCVE-0-2026-48127)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:23 – Updated: 2026-07-10 21:23
VLAI
EPSS
VEX
Title
Frappe: Arbitrary Attachment Injection via add_attachments and upload_file
Summary
Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API endpoints such as add_attachments. This issue is fixed in versions 16.20.0 and 15.110.0.
Severity
CWE
- CWE-862 - Missing Authorization
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
| https://github.com/frappe/frappe/pull/39407 | x_refsource_MISC |
| https://github.com/frappe/frappe/pull/39550 | x_refsource_MISC |
| https://github.com/frappe/frappe/pull/39553 | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/4bf27db10… | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/b1c86042e… | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/fee1af6d8… | x_refsource_MISC |
| https://github.com/frappe/frappe/releases/tag/v15.110.0 | x_refsource_MISC |
| https://github.com/frappe/frappe/releases/tag/v16.20.0 | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.110.0"
},
{
"status": "affected",
"version": "\u003e= 16.0.0-beta.1, \u003c 16.20.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API endpoints such as add_attachments. This issue is fixed in versions 16.20.0 and 15.110.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:23:37.101Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-fwrv-4rw4-97fw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-fwrv-4rw4-97fw"
},
{
"name": "https://github.com/frappe/frappe/pull/39407",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/39407"
},
{
"name": "https://github.com/frappe/frappe/pull/39550",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/39550"
},
{
"name": "https://github.com/frappe/frappe/pull/39553",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/39553"
},
{
"name": "https://github.com/frappe/frappe/commit/4bf27db101c34bd542a760290fc0775efa5cd0e4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/4bf27db101c34bd542a760290fc0775efa5cd0e4"
},
{
"name": "https://github.com/frappe/frappe/commit/b1c86042e6f85986f35365c80bb1d102ff1cd0e4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/b1c86042e6f85986f35365c80bb1d102ff1cd0e4"
},
{
"name": "https://github.com/frappe/frappe/commit/fee1af6d89910f6b174fd094184060aeb641d07d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/fee1af6d89910f6b174fd094184060aeb641d07d"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v15.110.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v15.110.0"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v16.20.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v16.20.0"
}
],
"source": {
"advisory": "GHSA-fwrv-4rw4-97fw",
"discovery": "UNKNOWN"
},
"title": "Frappe: Arbitrary Attachment Injection via add_attachments and upload_file"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48127",
"datePublished": "2026-07-10T21:23:37.101Z",
"dateReserved": "2026-05-20T18:46:58.292Z",
"dateUpdated": "2026-07-10T21:23:37.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41482 (GCVE-0-2026-41482)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:20 – Updated: 2026-07-10 21:20
VLAI
EPSS
VEX
Title
Frappe: Possible Path Traversal and Local File Inclusion via Chrome PDF Generator
Summary
Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in the Chrome PDF Generator. This issue is fixed in version 16.18.3.
Severity
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
| https://github.com/frappe/frappe/pull/38643 | x_refsource_MISC |
| https://github.com/frappe/frappe/pull/39396 | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/11066591e… | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/46841f7fd… | x_refsource_MISC |
| https://github.com/frappe/frappe/releases/tag/v16.18.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 16.18.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in the Chrome PDF Generator. This issue is fixed in version 16.18.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:20:36.507Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-234v-jfr8-v2f8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-234v-jfr8-v2f8"
},
{
"name": "https://github.com/frappe/frappe/pull/38643",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/38643"
},
{
"name": "https://github.com/frappe/frappe/pull/39396",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/39396"
},
{
"name": "https://github.com/frappe/frappe/commit/11066591ed7aa91a7b742f3f689277a90e620ce0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/11066591ed7aa91a7b742f3f689277a90e620ce0"
},
{
"name": "https://github.com/frappe/frappe/commit/46841f7fde3954e1d3b3a7e248a6d6022343e657",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/46841f7fde3954e1d3b3a7e248a6d6022343e657"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v16.18.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v16.18.3"
}
],
"source": {
"advisory": "GHSA-234v-jfr8-v2f8",
"discovery": "UNKNOWN"
},
"title": "Frappe: Possible Path Traversal and Local File Inclusion via Chrome PDF Generator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41482",
"datePublished": "2026-07-10T21:20:36.507Z",
"dateReserved": "2026-04-20T16:14:19.006Z",
"dateUpdated": "2026-07-10T21:20:36.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47199 (GCVE-0-2026-47199)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:14 – Updated: 2026-07-10 21:14
VLAI
EPSS
VEX
Title
Frappe: check_safe_sql_query Permits SELECT INTO OUTFILE
Summary
Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, check_safe_sql_query permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites if database permissions are not well aligned and MySQL FILE privileges are available. This issue is fixed in versions 16.18.3 and 15.108.0.
Severity
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
| https://github.com/frappe/frappe/pull/39345 | x_refsource_MISC |
| https://github.com/frappe/frappe/pull/39346 | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/628e103f7… | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/91d3ded03… | x_refsource_MISC |
| https://github.com/frappe/frappe/releases/tag/v15.108.0 | x_refsource_MISC |
| https://github.com/frappe/frappe/releases/tag/v16.18.3 | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.108.0"
},
{
"status": "affected",
"version": "\u003e= 16.0.0-beta.1, \u003c 16.18.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, check_safe_sql_query permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites if database permissions are not well aligned and MySQL FILE privileges are available. This issue is fixed in versions 16.18.3 and 15.108.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:14:12.195Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-wx8j-cw4r-vrhv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-wx8j-cw4r-vrhv"
},
{
"name": "https://github.com/frappe/frappe/pull/39345",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/39345"
},
{
"name": "https://github.com/frappe/frappe/pull/39346",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/39346"
},
{
"name": "https://github.com/frappe/frappe/commit/628e103f7ffe307447d9fc9e2c572cbddedfa3b5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/628e103f7ffe307447d9fc9e2c572cbddedfa3b5"
},
{
"name": "https://github.com/frappe/frappe/commit/91d3ded038d1c901b73f4a2293e134d691c1662d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/91d3ded038d1c901b73f4a2293e134d691c1662d"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v15.108.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v15.108.0"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v16.18.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v16.18.3"
}
],
"source": {
"advisory": "GHSA-wx8j-cw4r-vrhv",
"discovery": "UNKNOWN"
},
"title": "Frappe: check_safe_sql_query Permits SELECT INTO OUTFILE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47199",
"datePublished": "2026-07-10T21:14:12.195Z",
"dateReserved": "2026-05-18T22:07:37.436Z",
"dateUpdated": "2026-07-10T21:14:12.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58503 (GCVE-0-2026-58503)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:12 – Updated: 2026-07-10 21:12
VLAI
EPSS
VEX
Title
Frappe: Unauthenticated User Enumeration via reset_password
Summary
Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the reset_password endpoint. This issue is fixed in versions 16.16.0 and 15.106.0.
Severity
CWE
- CWE-203 - Observable Discrepancy
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
| https://github.com/frappe/frappe/pull/38625 | x_refsource_MISC |
| https://github.com/frappe/frappe/pull/38626 | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/1ff64d4a6… | x_refsource_MISC |
| https://github.com/frappe/frappe/commit/d3becf567… | x_refsource_MISC |
| https://github.com/frappe/frappe/releases/tag/v15.106.0 | x_refsource_MISC |
| https://github.com/frappe/frappe/releases/tag/v16.16.0 | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.106.0"
},
{
"status": "affected",
"version": "\u003e= 16.0.0-beta1, \u003c 16.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the reset_password endpoint. This issue is fixed in versions 16.16.0 and 15.106.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203: Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:12:28.742Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-3vqc-c545-w7jg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-3vqc-c545-w7jg"
},
{
"name": "https://github.com/frappe/frappe/pull/38625",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/38625"
},
{
"name": "https://github.com/frappe/frappe/pull/38626",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/pull/38626"
},
{
"name": "https://github.com/frappe/frappe/commit/1ff64d4a67f9a6d8819ac059dc69f023fb9ea264",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/1ff64d4a67f9a6d8819ac059dc69f023fb9ea264"
},
{
"name": "https://github.com/frappe/frappe/commit/d3becf5672cbb5c7150447161941aeebeeb84ae8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/commit/d3becf5672cbb5c7150447161941aeebeeb84ae8"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v15.106.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v15.106.0"
},
{
"name": "https://github.com/frappe/frappe/releases/tag/v16.16.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/frappe/releases/tag/v16.16.0"
}
],
"source": {
"advisory": "GHSA-3vqc-c545-w7jg",
"discovery": "UNKNOWN"
},
"title": "Frappe: Unauthenticated User Enumeration via reset_password"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-58503",
"datePublished": "2026-07-10T21:12:28.742Z",
"dateReserved": "2026-06-30T20:21:25.813Z",
"dateUpdated": "2026-07-10T21:12:28.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47422 (GCVE-0-2026-47422)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:09 – Updated: 2026-07-10 21:09
VLAI
EPSS
VEX
Title
Frappe: Unrestricted API access to save_report
Summary
Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been fixed. This vulnerability is fixed in 15.107.5 and 16.18.2.
Severity
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.107.5"
},
{
"status": "affected",
"version": "\u003e= 16.0.0-beta.1, \u003c 6.18.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been fixed. This vulnerability is fixed in 15.107.5 and 16.18.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:09:58.177Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-w8g7-j846-j248",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-w8g7-j846-j248"
}
],
"source": {
"advisory": "GHSA-w8g7-j846-j248",
"discovery": "UNKNOWN"
},
"title": "Frappe: Unrestricted API access to save_report"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47422",
"datePublished": "2026-07-10T21:09:58.177Z",
"dateReserved": "2026-05-19T19:37:43.526Z",
"dateUpdated": "2026-07-10T21:09:58.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50712 (GCVE-0-2026-50712)
Vulnerability from cvelistv5 – Published: 2026-06-24 15:26 – Updated: 2026-06-24 15:38
VLAI
EPSS
VEX
Title
Frappe Framework 17.0.0-dev - Stored XSS in Tree View node label rendering
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.ui.Tree component
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/es/advisories/misfits | third-party-advisory |
| https://github.com/frappe/frappe | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Frappe | Frappe Framework |
Affected:
17.0.0-dev
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50712",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T15:38:16.877100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:38:21.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://fluidattacks.com/es/advisories/misfits"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "Frappe Framework",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "17.0.0-dev"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fluid Attacks\u0027 AI SAST Scanner"
},
{
"lang": "en",
"type": "finder",
"value": "Oscar Uribe"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.ui.Tree component\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.ui.Tree component"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:26:54.413Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/es/advisories/misfits"
},
{
"tags": [
"product"
],
"url": "https://github.com/frappe/frappe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Frappe Framework 17.0.0-dev - Stored XSS in Tree View node label rendering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2026-50712",
"datePublished": "2026-06-24T15:26:54.413Z",
"dateReserved": "2026-06-05T14:49:25.370Z",
"dateUpdated": "2026-06-24T15:38:21.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50711 (GCVE-0-2026-50711)
Vulnerability from cvelistv5 – Published: 2026-06-24 15:18 – Updated: 2026-06-24 15:42
VLAI
EPSS
VEX
Title
Frappe Framework 17.0.0-dev - Stored XSS in Number Card filter fields rendering
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/es/advisories/disturbed | third-party-advisory |
| https://github.com/frappe/frappe | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Frappe | Frappe Framework |
Affected:
17.0.0-dev
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50711",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T15:42:35.460125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:42:49.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://fluidattacks.com/es/advisories/disturbed"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "Frappe Framework",
"repo": "https://github.com/frappe/frappe",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "17.0.0-dev"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fluid Attacks\u0027 AI SAST Scanner"
},
{
"lang": "en",
"type": "finder",
"value": "Oscar Uribe"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component. \u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:18:43.359Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/es/advisories/disturbed"
},
{
"tags": [
"product"
],
"url": "https://github.com/frappe/frappe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Frappe Framework 17.0.0-dev - Stored XSS in Number Card filter fields rendering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2026-50711",
"datePublished": "2026-06-24T15:18:43.359Z",
"dateReserved": "2026-06-05T14:49:25.370Z",
"dateUpdated": "2026-06-24T15:42:49.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50710 (GCVE-0-2026-50710)
Vulnerability from cvelistv5 – Published: 2026-06-24 15:08 – Updated: 2026-06-24 15:44
VLAI
EPSS
VEX
Title
Frappe Framework 17.0.0-dev - Stored XSS via eval in Number Card filters_config
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/es/advisories/sum41 | third-party-advisory |
| https://github.com/frappe/frappe | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Frappe | Frappe Framework |
Affected:
17.0.0-dev
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50710",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T15:43:45.566286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:44:26.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://fluidattacks.com/es/advisories/sum41"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "Frappe Framework",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "17.0.0-dev"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fluid Attacks\u0027 AI SAST Scanner"
},
{
"lang": "en",
"type": "finder",
"value": "Oscar Uribe"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component. \u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:08:41.416Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/es/advisories/sum41"
},
{
"tags": [
"product"
],
"url": "https://github.com/frappe/frappe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Frappe Framework 17.0.0-dev - Stored XSS via eval in Number Card filters_config",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2026-50710",
"datePublished": "2026-06-24T15:08:41.416Z",
"dateReserved": "2026-06-05T14:49:25.370Z",
"dateUpdated": "2026-06-24T15:44:26.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50709 (GCVE-0-2026-50709)
Vulnerability from cvelistv5 – Published: 2026-06-24 15:04 – Updated: 2026-06-24 15:44
VLAI
EPSS
VEX
Title
Frappe Framework 17.0.0-dev - Stored XSS in Notifications Events color rendering
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications > Events panel.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/es/advisories/journey | third-party-advisory |
| https://github.com/frappe/frappe | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Frappe | Frappe Framework |
Affected:
17.0.0-dev
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50709",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T15:44:56.401711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:44:59.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://fluidattacks.com/es/advisories/journey"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "Frappe Framework",
"repo": "https://github.com/frappe/frappe",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "17.0.0-dev"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fluid Attacks\u0027 AI SAST Scanner"
},
{
"lang": "en",
"type": "finder",
"value": "Oscar Uribe"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications \u0026gt; Events panel.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications \u003e Events panel."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:04:39.793Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/es/advisories/journey"
},
{
"tags": [
"product"
],
"url": "https://github.com/frappe/frappe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Frappe Framework 17.0.0-dev - Stored XSS in Notifications Events color rendering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2026-50709",
"datePublished": "2026-06-24T15:04:39.793Z",
"dateReserved": "2026-06-05T14:49:25.370Z",
"dateUpdated": "2026-06-24T15:44:59.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50708 (GCVE-0-2026-50708)
Vulnerability from cvelistv5 – Published: 2026-06-24 14:58 – Updated: 2026-06-24 15:47
VLAI
EPSS
VEX
Title
Frappe Framework 17.0.0-dev - Stored XSS in Multi Select Dialog result rendering
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/es/advisories/extremoduro | third-party-advisory |
| https://github.com/frappe/frappe | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Frappe | Frappe Framework |
Affected:
17.0.0-dev
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50708",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T15:45:53.899182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:47:02.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://fluidattacks.com/es/advisories/extremoduro"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "Frappe Framework",
"repo": "https://github.com/frappe/frappe",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "17.0.0-dev"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fluid Attacks\u0027 AI SAST Scanner"
},
{
"lang": "en",
"type": "finder",
"value": "Oscar Uribe"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:58:51.624Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/es/advisories/extremoduro"
},
{
"tags": [
"product"
],
"url": "https://github.com/frappe/frappe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Frappe Framework 17.0.0-dev - Stored XSS in Multi Select Dialog result rendering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2026-50708",
"datePublished": "2026-06-24T14:58:51.624Z",
"dateReserved": "2026-06-05T14:49:25.369Z",
"dateUpdated": "2026-06-24T15:47:02.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50705 (GCVE-0-2026-50705)
Vulnerability from cvelistv5 – Published: 2026-06-24 14:51 – Updated: 2026-06-24 15:47
VLAI
EPSS
VEX
Title
Frappe Framework 17.0.0-dev - Stored XSS in Form Dashboard headline rendering
Summary
A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/es/advisories/aterciopelados | third-party-advisory |
| https://github.com/frappe/frappe | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Frappe | Frappe Framework |
Affected:
17.0.0-dev
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50705",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T15:47:32.423824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:47:54.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://fluidattacks.com/es/advisories/aterciopelados"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "Frappe Framework",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "17.0.0-dev"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fluid Attacks\u0027 AI SAST Scanner"
},
{
"lang": "en",
"type": "finder",
"value": "Oscar Uribe"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:51:29.034Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/es/advisories/aterciopelados"
},
{
"tags": [
"product"
],
"url": "https://github.com/frappe/frappe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Frappe Framework 17.0.0-dev - Stored XSS in Form Dashboard headline rendering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2026-50705",
"datePublished": "2026-06-24T14:51:29.034Z",
"dateReserved": "2026-06-05T14:49:25.369Z",
"dateUpdated": "2026-06-24T15:47:54.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50704 (GCVE-0-2026-50704)
Vulnerability from cvelistv5 – Published: 2026-06-24 14:46 – Updated: 2026-06-24 15:48
VLAI
EPSS
VEX
Title
Frappe Framework 17.0.0-dev - Reflected/Stored XSS in File View breadcrumbs rendering
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/es/advisories/molotov | third-party-advisory |
| https://github.com/frappe/frappe | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Frappe | Frappe Framework |
Affected:
17.0.0-dev
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50704",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T15:48:15.033132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:48:38.475Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://fluidattacks.com/es/advisories/molotov"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "Frappe Framework",
"repo": "https://github.com/frappe/frappe",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "17.0.0-dev"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fluid Attacks\u0027 AI SAST Scanner"
},
{
"lang": "en",
"type": "finder",
"value": "Oscar Uribe"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer. \u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:46:38.275Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/es/advisories/molotov"
},
{
"tags": [
"product"
],
"url": "https://github.com/frappe/frappe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Frappe Framework 17.0.0-dev - Reflected/Stored XSS in File View breadcrumbs rendering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2026-50704",
"datePublished": "2026-06-24T14:46:38.275Z",
"dateReserved": "2026-06-05T14:49:25.369Z",
"dateUpdated": "2026-06-24T15:48:38.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50703 (GCVE-0-2026-50703)
Vulnerability from cvelistv5 – Published: 2026-06-24 14:42 – Updated: 2026-06-24 15:49
VLAI
EPSS
VEX
Title
Frappe Framework 17.0.0-dev - Stored XSS in Desktop Icon label rendering
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/es/advisories/soja | third-party-advisory |
| https://github.com/frappe/frappe | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Frappe | Frappe Framework |
Affected:
17.0.0-dev
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T15:49:16.406474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:49:22.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "Frappe Framework",
"repo": "https://github.com/frappe/frappe",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "17.0.0-dev"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fluid Attacks\u0027 AI SAST Scanner"
},
{
"lang": "en",
"type": "finder",
"value": "Oscar Uribe"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer.\u003c/p\u003e"
}
],
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:42:09.075Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/es/advisories/soja"
},
{
"tags": [
"product"
],
"url": "https://github.com/frappe/frappe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Frappe Framework 17.0.0-dev - Stored XSS in Desktop Icon label rendering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2026-50703",
"datePublished": "2026-06-24T14:42:09.075Z",
"dateReserved": "2026-06-05T14:49:25.369Z",
"dateUpdated": "2026-06-24T15:49:22.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50701 (GCVE-0-2026-50701)
Vulnerability from cvelistv5 – Published: 2026-06-24 14:33 – Updated: 2026-06-24 15:49
VLAI
EPSS
VEX
Title
Frappe Framework 17.0.0-dev - Reflected DOM XSS in dashboard-view breadcrumb rendering
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/es/advisories/nena | third-party-advisory |
| https://github.com/frappe/frappe | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Frappe | Frappe Framework |
Affected:
17.0.0-dev
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T15:49:49.712333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:49:55.677Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "Frappe Framework",
"repo": "https://github.com/frappe/frappe",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "17.0.0-dev"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fluid Attacks\u0027 AI SAST Scanner"
},
{
"lang": "en",
"type": "finder",
"value": "Oscar Uribe"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:33:09.315Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/es/advisories/nena"
},
{
"tags": [
"product"
],
"url": "https://github.com/frappe/frappe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Frappe Framework 17.0.0-dev - Reflected DOM XSS in dashboard-view breadcrumb rendering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2026-50701",
"datePublished": "2026-06-24T14:33:09.315Z",
"dateReserved": "2026-06-05T14:49:25.369Z",
"dateUpdated": "2026-06-24T15:49:55.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50700 (GCVE-0-2026-50700)
Vulnerability from cvelistv5 – Published: 2026-06-24 14:27 – Updated: 2026-06-24 15:50
VLAI
EPSS
VEX
Title
Frappe Framework 17.0.0-dev - Stored XSS in frappe.get_avatar image rendering
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/es/advisories/caligaris | third-party-advisory |
| https://github.com/frappe/frappe | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Frappe | Frappe Framework |
Affected:
17.0.0-dev
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T15:50:15.340970Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:50:40.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux",
"MacOS"
],
"product": "Frappe Framework",
"repo": "https://github.com/frappe/frappe",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "17.0.0-dev"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fluid Attacks\u0027 AI SAST Scanner"
},
{
"lang": "en",
"type": "finder",
"value": "Oscar Uribe"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:27:06.382Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/es/advisories/caligaris"
},
{
"tags": [
"product"
],
"url": "https://github.com/frappe/frappe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Frappe Framework 17.0.0-dev - Stored XSS in frappe.get_avatar image rendering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2026-50700",
"datePublished": "2026-06-24T14:27:06.382Z",
"dateReserved": "2026-06-05T14:49:25.369Z",
"dateUpdated": "2026-06-24T15:50:40.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50699 (GCVE-0-2026-50699)
Vulnerability from cvelistv5 – Published: 2026-06-24 14:20 – Updated: 2026-06-24 14:45
VLAI
EPSS
VEX
Title
Frappe Framework 17.0.0-dev - Stored XSS in Auto Repeat dashboard schedule rendering
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users open the affected Auto Repeat form.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/es/advisories/monkeys | third-party-advisory |
| https://github.com/frappe/frappe | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Frappe | Frappe Framework |
Affected:
17.0.0-dev
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50699",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T14:45:44.122490Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:45:48.861Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://fluidattacks.com/es/advisories/monkeys"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux",
"MacOS"
],
"product": "Frappe Framework",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "17.0.0-dev"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fluid Attacks\u0027 AI SAST Scanner"
},
{
"lang": "en",
"type": "finder",
"value": "Oscar Uribe"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to \u003c/span\u003e\u003ccode\u003eAuto Repeat\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e can persist HTML/JavaScript in \u003c/span\u003e\u003ccode\u003ereference_document\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e using a whitelisted write path and trigger script execution when users open the affected \u003c/span\u003e\u003ccode\u003eAuto Repeat\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e form.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users open the affected Auto Repeat form."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:20:31.447Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/es/advisories/monkeys"
},
{
"tags": [
"product"
],
"url": "https://github.com/frappe/frappe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Frappe Framework 17.0.0-dev - Stored XSS in Auto Repeat dashboard schedule rendering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2026-50699",
"datePublished": "2026-06-24T14:20:31.447Z",
"dateReserved": "2026-06-05T14:49:25.369Z",
"dateUpdated": "2026-06-24T14:45:48.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50698 (GCVE-0-2026-50698)
Vulnerability from cvelistv5 – Published: 2026-06-24 14:17 – Updated: 2026-06-24 14:48
VLAI
EPSS
VEX
Title
Frappe Framework 17.0.0-dev - Stored XSS in Audit Trail template rendering
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/es/advisories/rufus | third-party-advisory |
| https://github.com/frappe/frappe | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Frappe | Frappe Framework |
Affected:
17.0.0-dev
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50698",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T14:48:09.932212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:48:14.522Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://fluidattacks.com/es/advisories/rufus"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux",
"MacOS"
],
"product": "Frappe Framework",
"repo": "https://github.com/frappe/frappe",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "17.0.0-dev"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:linux:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:frappe:frappe_framework:17.0.0-dev:*:macos:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fluid Attacks\u0027 AI SAST Scanner"
},
{
"lang": "en",
"type": "finder",
"value": "Oscar Uribe"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:17:03.455Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/es/advisories/rufus"
},
{
"tags": [
"product"
],
"url": "https://github.com/frappe/frappe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Frappe Framework 17.0.0-dev - Stored XSS in Audit Trail template rendering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2026-50698",
"datePublished": "2026-06-24T14:17:03.455Z",
"dateReserved": "2026-06-05T14:49:25.369Z",
"dateUpdated": "2026-06-24T14:48:14.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53568 (GCVE-0-2026-53568)
Vulnerability from cvelistv5 – Published: 2026-06-12 14:45 – Updated: 2026-06-12 16:08
VLAI
EPSS
VEX
Title
Frappe: Stored XSS in Frappe Report/List View via 'set_link_title_field_value'
Summary
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53568",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T16:08:16.906442Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T16:08:22.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.107.2"
},
{
"status": "affected",
"version": "\u003c 16.17.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:45:11.531Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-rx63-c3fh-8926",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-rx63-c3fh-8926"
}
],
"source": {
"advisory": "GHSA-rx63-c3fh-8926",
"discovery": "UNKNOWN"
},
"title": "Frappe: Stored XSS in Frappe Report/List View via \u0027set_link_title_field_value\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53568",
"datePublished": "2026-06-12T14:45:11.531Z",
"dateReserved": "2026-06-09T19:11:53.483Z",
"dateUpdated": "2026-06-12T16:08:22.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50026 (GCVE-0-2026-50026)
Vulnerability from cvelistv5 – Published: 2026-06-12 14:43 – Updated: 2026-06-12 16:07
VLAI
EPSS
VEX
Title
Frappe: Lack of permissions checks in 'relink' and 'set_email_password' endpoints
Summary
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T16:07:10.483294Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T16:07:17.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.107.0"
},
{
"status": "affected",
"version": "\u003c 16.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:43:41.190Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-q6m6-759h-46jp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-q6m6-759h-46jp"
}
],
"source": {
"advisory": "GHSA-q6m6-759h-46jp",
"discovery": "UNKNOWN"
},
"title": "Frappe: Lack of permissions checks in \u0027relink\u0027 and \u0027set_email_password\u0027 endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-50026",
"datePublished": "2026-06-12T14:43:41.190Z",
"dateReserved": "2026-06-02T22:46:02.580Z",
"dateUpdated": "2026-06-12T16:07:17.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47182 (GCVE-0-2026-47182)
Vulnerability from cvelistv5 – Published: 2026-06-12 14:39 – Updated: 2026-06-12 16:26
VLAI
EPSS
VEX
Title
Frappe: Broken Access Control on Private Files
Summary
Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47182",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T16:26:47.239754Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T16:26:53.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 16.17.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:39:57.995Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-gvg7-4p32-j648",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-gvg7-4p32-j648"
}
],
"source": {
"advisory": "GHSA-gvg7-4p32-j648",
"discovery": "UNKNOWN"
},
"title": "Frappe: Broken Access Control on Private Files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47182",
"datePublished": "2026-06-12T14:39:57.995Z",
"dateReserved": "2026-05-18T22:07:37.434Z",
"dateUpdated": "2026-06-12T16:26:53.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44976 (GCVE-0-2026-44976)
Vulnerability from cvelistv5 – Published: 2026-06-12 14:38 – Updated: 2026-06-12 15:57
VLAI
EPSS
VEX
Title
Frappe: IDOR in update_onboarding_step
Summary
Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44976",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:57:49.083034Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:57:57.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 16.17.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:38:00.385Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-78rj-jch8-42m8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-78rj-jch8-42m8"
}
],
"source": {
"advisory": "GHSA-78rj-jch8-42m8",
"discovery": "UNKNOWN"
},
"title": "Frappe: IDOR in update_onboarding_step"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44976",
"datePublished": "2026-06-12T14:38:00.385Z",
"dateReserved": "2026-05-08T16:23:33.264Z",
"dateUpdated": "2026-06-12T15:57:57.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44975 (GCVE-0-2026-44975)
Vulnerability from cvelistv5 – Published: 2026-06-12 14:35 – Updated: 2026-06-12 16:43
VLAI
EPSS
VEX
Title
Frappe: Missing authorization on reset form tours
Summary
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44975",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T16:43:43.624122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T16:43:56.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.107.2"
},
{
"status": "affected",
"version": "\u003c 16.17.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:35:55.444Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-9cxj-48g3-jx22",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-9cxj-48g3-jx22"
}
],
"source": {
"advisory": "GHSA-9cxj-48g3-jx22",
"discovery": "UNKNOWN"
},
"title": "Frappe: Missing authorization on reset form tours"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44975",
"datePublished": "2026-06-12T14:35:55.444Z",
"dateReserved": "2026-05-08T16:23:33.264Z",
"dateUpdated": "2026-06-12T16:43:56.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44206 (GCVE-0-2026-44206)
Vulnerability from cvelistv5 – Published: 2026-06-12 14:34 – Updated: 2026-06-12 15:58
VLAI
EPSS
VEX
Title
Frappe: DB Schema Enumeration via Frappe-Authorization-Source
Summary
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:58:18.706598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:58:30.973Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.107.2"
},
{
"status": "affected",
"version": "\u003c 16.17.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:34:00.833Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-9c55-cq5r-qj5x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-9c55-cq5r-qj5x"
}
],
"source": {
"advisory": "GHSA-9c55-cq5r-qj5x",
"discovery": "UNKNOWN"
},
"title": "Frappe: DB Schema Enumeration via Frappe-Authorization-Source"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44206",
"datePublished": "2026-06-12T14:34:00.833Z",
"dateReserved": "2026-05-05T15:13:47.571Z",
"dateUpdated": "2026-06-12T15:58:30.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44207 (GCVE-0-2026-44207)
Vulnerability from cvelistv5 – Published: 2026-06-12 14:27 – Updated: 2026-06-12 16:28
VLAI
EPSS
VEX
Title
Frappe: Insecure Direct Object Reference for email accounts
Summary
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44207",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T16:27:49.988409Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T16:28:29.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.107.0"
},
{
"status": "affected",
"version": "\u003c 16.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users\u0027 email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:27:58.128Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-cw6v-39qx-7r74",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-cw6v-39qx-7r74"
}
],
"source": {
"advisory": "GHSA-cw6v-39qx-7r74",
"discovery": "UNKNOWN"
},
"title": "Frappe: Insecure Direct Object Reference for email accounts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44207",
"datePublished": "2026-06-12T14:27:58.128Z",
"dateReserved": "2026-05-05T15:13:47.571Z",
"dateUpdated": "2026-06-12T16:28:29.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44208 (GCVE-0-2026-44208)
Vulnerability from cvelistv5 – Published: 2026-06-12 14:26 – Updated: 2026-06-13 03:14
VLAI
EPSS
VEX
Title
Frappe: IDOR in `submit_discussion()`
Summary
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-13T03:13:21.423395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T03:14:01.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.107.0"
},
{
"status": "affected",
"version": "\u003c 16.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the \"submit_discussion()\" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:26:17.323Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-xh7m-j2j2-82f2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-xh7m-j2j2-82f2"
}
],
"source": {
"advisory": "GHSA-xh7m-j2j2-82f2",
"discovery": "UNKNOWN"
},
"title": "Frappe: IDOR in `submit_discussion()`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44208",
"datePublished": "2026-06-12T14:26:17.323Z",
"dateReserved": "2026-05-05T15:13:47.571Z",
"dateUpdated": "2026-06-13T03:14:01.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44205 (GCVE-0-2026-44205)
Vulnerability from cvelistv5 – Published: 2026-06-12 14:23 – Updated: 2026-06-12 16:02
VLAI
EPSS
VEX
Title
Frappe: Stored Cross-Site Scripting (XSS) in User Profile through Image Upload
Summary
Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T16:02:26.214512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T16:02:36.022Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.106.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:23:45.308Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-2wx6-8gmq-x4fw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-2wx6-8gmq-x4fw"
}
],
"source": {
"advisory": "GHSA-2wx6-8gmq-x4fw",
"discovery": "UNKNOWN"
},
"title": "Frappe: Stored Cross-Site Scripting (XSS) in User Profile through Image Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44205",
"datePublished": "2026-06-12T14:23:45.308Z",
"dateReserved": "2026-05-05T15:13:47.571Z",
"dateUpdated": "2026-06-12T16:02:36.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41581 (GCVE-0-2026-41581)
Vulnerability from cvelistv5 – Published: 2026-06-12 14:22 – Updated: 2026-06-12 14:56
VLAI
EPSS
VEX
Title
Frappe Vulnerable to Possible SQL Injection via get_blog_list
Summary
Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, there is a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T14:56:39.556744Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:56:53.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 15.106.0"
},
{
"status": "affected",
"version": "\u003c 16.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, there is a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:22:46.804Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-h9hf-57r4-cm65",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-h9hf-57r4-cm65"
}
],
"source": {
"advisory": "GHSA-h9hf-57r4-cm65",
"discovery": "UNKNOWN"
},
"title": "Frappe Vulnerable to Possible SQL Injection via get_blog_list"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41581",
"datePublished": "2026-06-12T14:22:46.804Z",
"dateReserved": "2026-04-21T14:15:21.958Z",
"dateUpdated": "2026-06-12T14:56:53.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}