Executive Summary

CVE-2026-50704 is a Stored Cross-Site Scripting (XSS) vulnerability in Frappe Framework version 17.0.0-dev. It occurs because user-controlled input is not properly neutralized in the File View breadcrumb renderer. Specifically, folder segments from application routes are inserted into HTML templates without proper encoding, allowing attackers to inject malicious HTML or JavaScript.

This vulnerability can be exploited in three ways: (1) reflected route-segment XSS where attacker-controlled URL segments execute payloads when rendered; (2) stored breadcrumb attribute injection via malicious folder names that break HTML attributes and inject event handlers like onmouseover; and (3) header sink in get_header_html() where unescaped breadcrumbs embedded in the document lead to JavaScript execution.

The flaw affects multiple components including file_view.js, list_view.js, and file.py. No patch is currently available.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to inject and execute malicious scripts in the context of the affected application. When victims access the compromised File View page, the injected scripts can run, potentially leading to unauthorized actions such as session hijacking, data theft, or manipulation of the user interface.

Because the vulnerability can be exploited remotely and involves stored and reflected XSS, it poses a medium risk (CVSS score 4.6) and can compromise the security and integrity of the application and its users.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for injection of malicious HTML or JavaScript payloads in the File View breadcrumb renderer of Frappe Framework version 17.0.0-dev.

Detection involves verifying if folder segments from application routes are improperly neutralized and appear in breadcrumb markup without proper output encoding.

Specifically, you can test for reflected route-segment XSS by crafting URLs with malicious payloads in the File list route and observing if the payload executes when the page is rendered.

You can also check for stored breadcrumb attribute injection by creating folder names containing quotes and event handlers (e.g., onmouseover) and seeing if these are executed in the breadcrumb display.

No explicit commands are provided, but manual testing with crafted URLs and folder names in the affected application routes is recommended.

Useful 0 Not Useful 0

Mitigation Strategies

Currently, no patch is available for this vulnerability.

Immediate mitigation steps include avoiding the use of untrusted or user-controlled input in folder names or URL segments that are rendered in breadcrumbs.

Restrict access to the affected File View pages to trusted users only, especially those with high privileges, to reduce the risk of exploitation.

Monitor and audit breadcrumb rendering for suspicious injected scripts or HTML.

Consider implementing additional input validation and output encoding in your application to neutralize potentially malicious input until an official fix is released.

Useful 0 Not Useful 0