CVE-2026-50704
Deferred Deferred - Pending Action

Stored XSS in Frappe Framework

Vulnerability report for CVE-2026-50704, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Fluid Attacks

Description

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
frappe framework to 17.0.0-dev (inc)
frappe framework 17.0.0-dev

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how the Stored Cross-Site Scripting (XSS) vulnerability in Frappe Framework version 17.0.0-dev affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-50704 is a Stored Cross-Site Scripting (XSS) vulnerability in Frappe Framework version 17.0.0-dev. It occurs because user-controlled input is not properly neutralized in the File View breadcrumb renderer. Specifically, folder segments from application routes are inserted into HTML templates without proper encoding, allowing attackers to inject malicious HTML or JavaScript.

This vulnerability can be exploited in three ways: (1) reflected route-segment XSS where attacker-controlled URL segments execute payloads when rendered; (2) stored breadcrumb attribute injection via malicious folder names that break HTML attributes and inject event handlers like onmouseover; and (3) header sink in get_header_html() where unescaped breadcrumbs embedded in the document lead to JavaScript execution.

The flaw affects multiple components including file_view.js, list_view.js, and file.py. No patch is currently available.

Impact Analysis

This vulnerability allows attackers to inject and execute malicious scripts in the context of the affected application. When victims access the compromised File View page, the injected scripts can run, potentially leading to unauthorized actions such as session hijacking, data theft, or manipulation of the user interface.

Because the vulnerability can be exploited remotely and involves stored and reflected XSS, it poses a medium risk (CVSS score 4.6) and can compromise the security and integrity of the application and its users.

Detection Guidance

This vulnerability can be detected by checking for injection of malicious HTML or JavaScript payloads in the File View breadcrumb renderer of Frappe Framework version 17.0.0-dev.

Detection involves verifying if folder segments from application routes are improperly neutralized and appear in breadcrumb markup without proper output encoding.

Specifically, you can test for reflected route-segment XSS by crafting URLs with malicious payloads in the File list route and observing if the payload executes when the page is rendered.

You can also check for stored breadcrumb attribute injection by creating folder names containing quotes and event handlers (e.g., onmouseover) and seeing if these are executed in the breadcrumb display.

No explicit commands are provided, but manual testing with crafted URLs and folder names in the affected application routes is recommended.

Mitigation Strategies

Currently, no patch is available for this vulnerability.

Immediate mitigation steps include avoiding the use of untrusted or user-controlled input in folder names or URL segments that are rendered in breadcrumbs.

Restrict access to the affected File View pages to trusted users only, especially those with high privileges, to reduce the risk of exploitation.

Monitor and audit breadcrumb rendering for suspicious injected scripts or HTML.

Consider implementing additional input validation and output encoding in your application to neutralize potentially malicious input until an official fix is released.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50704. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart