High severity7.2NVD Advisory· Published Mar 5, 2026· Updated Apr 29, 2026

CVE-2026-28436

Description

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0.

Affected products

Frappe/Frappe
cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*
Range: <15.102.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/frappe/frappe/security/advisories/GHSA-vm63-r48g-7wqhnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000