CVE-2026-28436
Received Received - Intake
Stored XSS in Frappe Avatar Image URL Allows Remote Exploitation

Publication date: 2026-03-05

Last updated on: 2026-04-29

Assigner: GitHub, Inc.

Description
Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28436
EUVD
EUVD-2026-9878
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
frappe frappe to 15.102.0 (exc)
frappe frappe From 16.0.0 (inc) to 16.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability is a stored Cross-Site Scripting (XSS) issue caused by a crafted image URL in the avatar display of the Frappe framework. Detection involves identifying if your system is running a vulnerable version of Frappe prior to 15.102.0 or 16.11.0.

To detect exploitation attempts, you can monitor web application logs and HTTP requests for suspicious image URLs containing script payloads in avatar fields or page comments.

There are no specific commands provided in the resources, but general approaches include:

  • Checking the installed Frappe version via package management commands, for example: `pip show frappe`
  • Searching web server or application logs for unusual or suspicious image URLs in avatar or comment fields using commands like `grep`.
  • Using web vulnerability scanners that can detect stored XSS vulnerabilities in web applications.
Executive Summary

CVE-2026-28436 is a stored Cross-Site Scripting (XSS) vulnerability in the Frappe web application framework. It occurs because an attacker can provide a specially crafted image URL for an avatar that is not properly escaped. When this malicious URL is displayed in the avatar, such as in website page comments, it triggers the execution of arbitrary scripts in the browsers of other users viewing the page.

This vulnerability affects versions prior to 16.11.0 and 15.102.0 of the Frappe package and has been fixed by properly escaping the image URL in the avatar display code.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary scripts in the context of other users who view the affected pages. This can lead to unauthorized actions performed on behalf of those users, theft of sensitive information such as cookies or session tokens, and potentially further compromise of user accounts or data.

Since the XSS is stored and triggered via avatar images in comments, it can affect multiple users and persist until the vulnerability is patched.

Compliance Impact

I don't know

Mitigation Strategies

The primary mitigation step is to upgrade the Frappe framework to a patched version, specifically version 15.102.0 or 16.11.0 or later, where the vulnerability has been fixed.

Until the upgrade can be performed, consider sanitizing or filtering user-supplied image URLs in avatar fields and comments to prevent injection of malicious scripts.

Additionally, monitor and review user-generated content for suspicious inputs and apply web application firewall (WAF) rules to block potential XSS payloads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28436. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart