CVE-2026-50705
Received Received - Intake
Cross-Site Scripting in Frappe Framework

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Fluid Attacks

Description
A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-50705
EUVD
EUVD-2026-38802
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
frappe framework to 17.0.0-dev (inc)
frappe frappe 17.0.0-dev
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50705 is a stored cross-site scripting (XSS) vulnerability in Frappe Framework version 17.0.0-dev. It occurs because untrusted input is not properly neutralized in the Form Dashboard headline renderer.

Specifically, HTML strings are inserted into Desk forms using jQuery's .html() method without sanitization, allowing an attacker to inject malicious HTML or JavaScript.

This malicious code executes when the affected form is viewed, for example, through the `google_meet_link` field in Event forms where attacker-controlled data is interpolated into dashboard headlines.

Impact Analysis

This vulnerability allows an attacker to execute malicious scripts in the context of the affected application when a user views a compromised form.

Potential impacts include theft of user session data, unauthorized actions performed on behalf of the user, and exposure to further attacks such as phishing or malware distribution.

Since the vulnerability is remotely exploitable and triggered by viewing a crafted form, it poses a medium risk with a CVSS v4.0 base score of 4.6.

Detection Guidance

This vulnerability can be detected by attempting to inject malicious HTML or JavaScript payloads into the Form Dashboard headline fields, such as the `google_meet_link` field in Event forms, and then observing if the payload executes when the form is opened.

Since the vulnerability arises from the use of jQuery's .html() method without sanitization, detection involves testing input fields that are rendered in dashboard headlines for improper neutralization.

A practical detection approach is to create an Event with a crafted `google_meet_link` containing a harmless script or HTML payload and then open the Event form to see if the script executes.

No specific network commands are provided, but manual testing through the application interface by injecting test payloads into vulnerable fields is recommended.

Mitigation Strategies

As of the disclosure date, no patch is available for this vulnerability.

Immediate mitigation steps include avoiding the use of untrusted input in the Form Dashboard headline renderer, especially fields like `google_meet_link` in Event forms.

Restrict access to the affected forms to trusted users only and avoid opening Event forms with untrusted or suspicious data.

Consider implementing input validation and sanitization on the application side to neutralize potentially malicious input before it is rendered.

Compliance Impact

The provided information does not specify how the CVE-2026-50705 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50705. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart