CVE-2026-50700
Received Received - Intake
Stored XSS in Frappe Framework

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Fluid Attacks

Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-50700
EUVD
EUVD-2026-38796
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
frappe framework to 17.0.0-dev (exc)
frappe framework 17.0.0-dev
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50700 is a Stored Cross-Site Scripting (XSS) vulnerability found in Frappe Framework version 17.0.0-dev. It occurs because the function frappe.get_avatar improperly handles user-controlled input by directly inserting the image_url value into an HTML template string without proper escaping or sanitization.

An attacker who has write access to a record with an image field can inject malicious markup into the Attach Image value. When the affected record is displayed, this malicious code is inserted into the webpage's DOM and executed in the victim's browser.

This vulnerability affects features like Link Preview and Global Search, where the malicious payload travels through multiple functions before being executed.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary scripts in the context of a victim's browser session when they view a compromised record. This can lead to unauthorized actions such as stealing session tokens, performing actions on behalf of the user, or delivering malicious payloads.

Since the vulnerability is remotely exploitable and requires only write access to a record, it can be leveraged to compromise user accounts or data confidentiality within the affected application.

The CVSS v4.0 base score of 4.6 indicates a medium severity impact.

Detection Guidance

This vulnerability can be detected by identifying if the Frappe Framework version 17.0.0-dev is in use and checking for the presence of malicious markup injected into image fields, particularly those related to the `frappe.get_avatar` function.

Since the vulnerability involves improper neutralization of user-controlled input in the `image_url` field that is assigned to `innerHTML`, detection can involve inspecting records with image fields for suspicious or unexpected HTML or script content.

No specific detection commands are provided in the available resources.

Mitigation Strategies

As no patch is currently available for this vulnerability, immediate mitigation steps include restricting write access to records containing image fields to trusted users only.

Additionally, monitoring and sanitizing user inputs, especially those that affect the `frappe.get_avatar` function, can help reduce the risk of exploitation.

Consider implementing additional security controls such as Content Security Policy (CSP) headers to limit the impact of potential XSS payloads.

Compliance Impact

The provided information does not specify how the Stored Cross-Site Scripting (XSS) vulnerability in Frappe Framework version 17.0.0-dev affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50700. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart