Executive Summary

CVE-2026-50712 is a Stored Cross-Site Scripting (XSS) vulnerability found in Frappe Framework version 17.0.0-dev. It occurs because the frappe.ui.Tree component improperly neutralizes user-controlled input, specifically in tree node labels that are rendered without proper escaping.

An attacker can exploit this vulnerability by creating or modifying records with specially crafted names containing malicious JavaScript event handlers, such as onclick. When another user interacts with the affected tree node, the malicious code executes in their browser.

The flaw exists in multiple unescaped client render paths in the Tree View, allowing arbitrary HTML and JavaScript injection without requiring raw HTML tags, working even with quote characters alone.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in the browsers of users interacting with the vulnerable tree nodes.

Such code execution can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of the user, or delivery of further malicious payloads.

Because the vulnerability is remotely exploitable and triggered by user interaction, it poses a risk to the confidentiality and integrity of user data within applications using the affected Frappe Framework version.

Useful 0 Not Useful 0

Detection Guidance

This Stored Cross-Site Scripting (XSS) vulnerability in Frappe Framework version 17.0.0-dev can be detected by examining the frappe.ui.Tree component, specifically looking for tree node labels that render user-controlled input without proper escaping.

Detection can involve checking if any records or tree nodes contain crafted names with suspicious JavaScript event handlers such as onclick attributes embedded in the labels.

Since the vulnerability was validated using the Customer Group tree where document names are user-controlled, inspecting these fields for injected scripts or unusual characters (like quote characters used for injection) can help identify exploitation.

No specific commands are provided in the available resources, but manual inspection or automated scanning of the tree node labels for unescaped HTML or JavaScript event handlers is recommended.

Useful 0 Not Useful 0

Mitigation Strategies

Currently, there is no patch available for this vulnerability.

Immediate mitigation steps include avoiding the use of untrusted user input in tree node labels or other UI components that render HTML without proper escaping.

Administrators should monitor and restrict the creation or modification of records with potentially malicious names containing JavaScript event handlers.

Additionally, educating users to avoid interacting with suspicious tree nodes and applying strict input validation or sanitization on user-controlled fields can reduce risk.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how the Stored Cross-Site Scripting (XSS) vulnerability in Frappe Framework version 17.0.0-dev affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0