CVE-2026-50698
Received Received - Intake
Stored XSS in Frappe Framework Audit Trail

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Fluid Attacks

Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-50698
EUVD
EUVD-2026-38794
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
frappe frappe to 17.0.0-dev (exc)
frappe framework From 17.0.0-dev (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50698 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Frappe Framework version 17.0.0-dev. It occurs because user-controlled input is not properly neutralized before being included in HTML output within the Audit Trail component.

Specifically, malicious data stored in audit records can be rendered as active HTML or JavaScript when viewed by other users. This happens in two rendering paths of the Audit Trail that use jQuery's .appendTo() method without escaping HTML, allowing injected scripts to execute.

An attacker can exploit this by storing malicious payloads in audit records, which then execute when other users view the Audit Trail.

Impact Analysis

This vulnerability can lead to unauthorized script execution in the context of users viewing the Audit Trail component. An attacker could inject malicious scripts that run in other users' browsers, potentially leading to session hijacking, data theft, or other malicious actions.

Since the vulnerability is remotely exploitable and requires only that an attacker store malicious data in audit records, it poses a risk to the integrity and security of user sessions and data.

The CVSS v4.0 base score of 4.6 indicates a medium severity impact.

Detection Guidance

This vulnerability can be detected by inspecting the Audit Trail component of the Frappe Framework version 17.0.0-dev for the presence of malicious scripts in audit records. Since the vulnerability involves improper neutralization of user input that is rendered using jQuery's .appendTo() method without HTML escaping, detection involves checking audit records for suspicious or unexpected HTML or JavaScript content.

There are no specific commands provided in the available resources to detect this vulnerability automatically. However, manual inspection or custom scripts to scan audit trail entries for embedded script tags or suspicious HTML could be used.

Mitigation Strategies

As of the disclosure date, no patch is available for this vulnerability. Immediate mitigation steps include restricting access to the Audit Trail component to trusted users only, to reduce the risk of malicious payloads being stored and executed.

Additionally, monitoring audit records for suspicious entries and avoiding the use of the vulnerable version (17.0.0-dev) in production environments can help mitigate risk.

Implementing input validation or sanitization on user inputs before they are stored in audit records, if possible, may also reduce the risk until an official fix is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50698. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart