CVE-2026-28436
Stored XSS in Frappe Avatar Image URL Allows Remote Exploitation
Publication date: 2026-03-05
Last updated on: 2026-04-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | frappe | to 15.102.0 (exc) |
| frappe | frappe | From 16.0.0 (inc) to 16.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored Cross-Site Scripting (XSS) issue caused by a crafted image URL in the avatar display of the Frappe framework. Detection involves identifying if your system is running a vulnerable version of Frappe prior to 15.102.0 or 16.11.0.
To detect exploitation attempts, you can monitor web application logs and HTTP requests for suspicious image URLs containing script payloads in avatar fields or page comments.
There are no specific commands provided in the resources, but general approaches include:
- Checking the installed Frappe version via package management commands, for example: `pip show frappe`
- Searching web server or application logs for unusual or suspicious image URLs in avatar or comment fields using commands like `grep`.
- Using web vulnerability scanners that can detect stored XSS vulnerabilities in web applications.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Frappe framework to a patched version, specifically version 15.102.0 or 16.11.0 or later, where the vulnerability has been fixed.
Until the upgrade can be performed, consider sanitizing or filtering user-supplied image URLs in avatar fields and comments to prevent injection of malicious scripts.
Additionally, monitor and review user-generated content for suspicious inputs and apply web application firewall (WAF) rules to block potential XSS payloads.
Can you explain this vulnerability to me?
CVE-2026-28436 is a stored Cross-Site Scripting (XSS) vulnerability in the Frappe web application framework. It occurs because an attacker can provide a specially crafted image URL for an avatar that is not properly escaped. When this malicious URL is displayed in the avatar, such as in website page comments, it triggers the execution of arbitrary scripts in the browsers of other users viewing the page.
This vulnerability affects versions prior to 16.11.0 and 15.102.0 of the Frappe package and has been fixed by properly escaping the image URL in the avatar display code.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary scripts in the context of other users who view the affected pages. This can lead to unauthorized actions performed on behalf of those users, theft of sensitive information such as cookies or session tokens, and potentially further compromise of user accounts or data.
Since the XSS is stored and triggered via avatar images in comments, it can affect multiple users and persist until the vulnerability is patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know