CVE-2026-44205
Description
Stored XSS in Frappe user profile image upload allows attackers to execute malicious scripts in other users' browsers, fixed in version 15.106.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Frappe user profile image upload allows attackers to execute malicious scripts in other users' browsers, fixed in version 15.106.0.
Vulnerability
Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework prior to version 15.106.0. The flaw resides in the user profile image section, where uploaded images are not sanitized properly, allowing injection of malicious scripts that execute when other users view the profile [1].
Exploitation
An attacker with the ability to upload a profile image (typically any authenticated user) can craft a malicious image or file containing a JavaScript payload. By uploading this file, the payload is stored on the server and subsequently served to other users viewing the attacker's profile, where it executes in their browser context [1].
Impact
Successful exploitation allows arbitrary JavaScript execution in the browsers of other users who view the attacker's profile. This can lead to session hijacking, credential theft, defacement, or other actions on behalf of the victim within the Frappe application [1].
Mitigation
The vulnerability is fixed in Frappe Framework version 15.106.0. All users should upgrade to this or a later version. No workarounds are available [1].
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
10f5a3c549e73chore(release): Bumped to Version 15.106.0
1 file changed · +1 −1
frappe/__init__.py+1 −1 modified@@ -51,7 +51,7 @@ ) from .utils.lazy_loader import lazy_import -__version__ = "15.105.0" +__version__ = "15.106.0" __title__ = "Frappe Framework" # This if block is never executed when running the code. It is only used for
Vulnerability mechanics
Root cause
"Missing HTML escaping of user profile image data when rendering the profile sidebar allows stored cross-site scripting."
Attack vector
An attacker uploads a crafted profile image containing malicious script code. When other users view a page that renders the profile sidebar, the unescaped image data is injected into the DOM, causing the script to execute in their browsers. The attack requires the attacker to have an account with the ability to set a profile image, and the victim must visit a page that displays the attacker's profile sidebar [patch_id=5722730].
Affected code
The vulnerability exists in the profile sidebar rendering code. The commit "escape image in profile sidebar" ([7a8cf84] in patch_id=5722730) addresses the issue, but the exact file path is not shown in the provided diff. The patch bundle also includes a separate fix for CustomHTMLBlock server-side validation ([b293360]), which may be related to the same stored XSS class.
What the fix does
The patch includes a commit titled "escape image in profile sidebar" ([7a8cf84] in patch_id=5722730), which adds proper HTML escaping to the image value rendered in the profile sidebar. This prevents attacker-supplied script content from being interpreted as executable code by the browser. The fix is included in version 15.106.0.
Preconditions
- authAttacker must have an account with the ability to set a profile image.
- inputAttacker must upload a profile image containing malicious script content.
- networkVictim must visit a page that renders the attacker's profile sidebar.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.