CVE-2026-50699 PUBLISHED

Frappe Framework 17.0.0-dev - Stored XSS in Auto Repeat dashboard schedule rendering

Assigner: Fluid Attacks
Reserved: 05.06.2026 Published: 24.06.2026 Updated: 24.06.2026

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users open the affected Auto Repeat form.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 4.6

Product Status

Vendor Frappe
Product Frappe Framework
Versions Default: unaffected
  • Version 17.0.0-dev is affected

Credits

  • Fluid Attacks' AI SAST Scanner finder
  • Oscar Uribe finder

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE

Impacts

  • CAPEC-592 Stored XSS