CVE Catalog

CVE-2026-50699

MediumCVSS 4.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

23th percentile — higher than 23% of all known CVEs

Summary

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document, leading to script execution when users open the affected Auto Repeat form.

Risk Assessment

This vulnerability may allow malicious code execution in users' browsers, posing risks of data theft or session hijacking. Organizations should be aware of the potential security implications.

Recommendation

It is recommended to update Frappe Framework to the latest version to mitigate this vulnerability. Additionally, access to the Auto Repeat feature should be restricted to trusted users.

Original NVD description (English source)

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users open the affected Auto Repeat form.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS