CVE-2026-50701
Received Received - Intake
Reflected XSS in Frappe Framework

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Fluid Attacks

Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-50701
EUVD
EUVD-2026-38798
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
frappe framework to 17.0.0-dev (inc)
frappe framework 17.0.0-dev
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The Reflected Cross-Site Scripting (XSS) vulnerability in Frappe Framework allows arbitrary JavaScript execution in a victim's session, which can lead to session hijacking, unauthorized actions, or data disclosure.

Such unauthorized access and potential data disclosure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly detail the direct impact on compliance frameworks.

Impact Analysis

Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript in the victim's session.

  • Session hijacking
  • Unauthorized actions performed on behalf of the user
  • Disclosure of sensitive data

The vulnerability is remotely exploitable and has a medium severity score (CVSS v4.0 base score of 5.1).

Executive Summary

CVE-2026-50701 is a Reflected Cross-Site Scripting (XSS) vulnerability found in Frappe Framework version 17.0.0-dev. It occurs because the dashboard-view component improperly neutralizes user-controlled input.

Specifically, the vulnerability arises in the breadcrumb rendering logic where route data is read directly from the browser URL and injected into the page without proper encoding or sanitization.

An attacker can craft a malicious URL containing HTML or JavaScript in a route segment, which is then decoded and inserted into the DOM via jQuery HTML parsing without escaping. This causes the injected content to be executed as active markup rather than displayed as plain text.

Detection Guidance

The vulnerability can be detected by checking if the Frappe Framework version 17.0.0-dev is in use and if the dashboard-view component improperly neutralizes user-controlled input in the breadcrumb rendering logic.

Detection involves verifying whether the system reads route data directly from the browser URL and injects it into the page without adequate output encoding or sanitization.

A practical approach is to test for reflected XSS by crafting a malicious URL containing HTML or JavaScript within a route segment and observing if it is executed in the victim's session.

Specific commands are not provided in the available resources.

Mitigation Strategies

As of the disclosure date, there is no available patch for this vulnerability.

Immediate mitigation steps include avoiding the use of untrusted or user-controlled input in URLs that affect the dashboard breadcrumb rendering.

Implement input validation and output encoding or sanitization on the route data before it is injected into the DOM.

Consider restricting access to the affected component or applying web application firewall (WAF) rules to detect and block malicious payloads in URLs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50701. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart