Executive Summary

CVE-2026-50703 is a Stored Cross-Site Scripting (XSS) vulnerability found in Frappe Framework version 17.0.0-dev. It occurs because user-controlled input is not properly neutralized in the Desk desktop icon renderer.

Specifically, the application stores desktop icon metadata in Desktop Icon records and renders the label value directly into the data-id attribute of an HTML <a> element without proper escaping. This allows an attacker with permission to create or modify Desktop Icon records to inject malicious payloads into the label field.

The injected payload can include arbitrary HTML attributes such as JavaScript event handlers. When another user interacts with the affected icon, the malicious code executes in the victim's browser within an authenticated Desk session.

The root cause is the unescaped rendering of icon.label in the desktop_icon.html template.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this Stored Cross-Site Scripting (XSS) vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of another user's authenticated session within the Frappe Framework Desk environment.

Such code execution can lead to unauthorized actions performed on behalf of the victim, theft of sensitive information, session hijacking, or other malicious activities.

Since the vulnerability is remotely exploitable and requires only that the attacker have permission to create or modify Desktop Icon records, it poses a medium severity risk with a CVSS v4.0 base score of 4.8.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for malicious payloads injected into the label field of Desktop Icon records in the Frappe Framework version 17.0.0-dev. Specifically, look for HTML attributes or JavaScript event handlers embedded in the label values, such as payloads containing event handlers like "onmouseover".

Since the vulnerability involves stored Cross-Site Scripting in the Desk desktop icon renderer, detection involves inspecting the Desktop Icon metadata for suspicious or unexpected HTML attributes.

There are no specific commands provided in the resources, but a practical approach would be to query the Desktop Icon records in the database for label fields containing suspicious strings such as "onmouseover", "javascript:", or other event handler attributes.

• Example SQL query to find suspicious labels: SELECT * FROM `desktop_icon` WHERE `label` LIKE '%onmouseover%' OR `label` LIKE '%javascript:%';
• Monitor user activity for creation or modification of Desktop Icon records with unusual label content.

Useful 0 Not Useful 0

Mitigation Strategies

As of the disclosure date, there is no available patch for this vulnerability.

Immediate mitigation steps include restricting permissions to create or modify Desktop Icon records to trusted users only, to prevent attackers from injecting malicious payloads.

Additionally, monitor and audit Desktop Icon records for suspicious label values and remove any malicious entries found.

Consider implementing input validation or escaping on the label field in your own deployment if possible, to neutralize user-controlled input before rendering.

Useful 0 Not Useful 0