Executive Summary

CVE-2026-50710 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Frappe Framework version 17.0.0-dev. It occurs because the Number Card component unsafely evaluates user-controlled data in its filters_config field using the JavaScript eval function.

An authenticated attacker can exploit this by creating or modifying a Number Card with malicious code in the filters_config. When another user views this Number Card, the malicious code is executed in their browser, allowing arbitrary JavaScript execution.

The vulnerability is persistent because the malicious payload is stored and re-executed every time the Number Card is accessed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to arbitrary JavaScript execution in the browsers of users who view the compromised Number Card. This can result in unauthorized actions such as stealing session tokens, performing actions on behalf of the user, or delivering further malicious payloads.

Since the attack requires authentication to create or modify the Number Card, it primarily impacts environments where users have some level of access, but the consequences can affect all users who view the malicious content.

The persistent nature of the vulnerability means the malicious code remains active until the issue is fixed or the payload is removed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying Number Cards in the Frappe Framework version 17.0.0-dev that contain malicious payloads in the filters_config field. Since the exploit involves unsafe evaluation of user-controlled data via eval, detection involves inspecting stored Number Cards for suspicious JavaScript code or payloads.

Because the vulnerability requires authentication and involves stored payloads, detection commands would focus on querying the database or application data for suspicious content in the filters_config field of Number Cards.

• Use database queries to extract filters_config values from Number Cards and search for suspicious JavaScript code or eval usage.
• Example SQL command (adjust for your database schema): SELECT filters_config FROM `tabNumber Card` WHERE filters_config LIKE '%eval(%' OR filters_config LIKE '%<script>%';
• Monitor client-side behavior for unexpected JavaScript execution or alerts when accessing Number Cards in the Desk interface.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Number Card creation and modification features to trusted users only, as exploitation requires authentication.

Since no patch is available as of the disclosure date, administrators should audit existing Number Cards for malicious payloads in the filters_config field and remove or sanitize any suspicious entries.

Additionally, educate users to avoid opening untrusted Number Cards and monitor for unusual client-side behavior indicating exploitation.

Consider implementing application-level input validation or disabling the use of eval on user-controlled data in the Number Card component if possible.

Useful 0 Not Useful 0