CVE-2026-47739
Description
Stored XSS vulnerability in Frappe Note before 15.106.0 and 16.16.0 due to insufficient input sanitization.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in Frappe Note before 15.106.0 and 16.16.0 due to insufficient input sanitization.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the Note functionality of the Frappe web application framework prior to versions 15.106.0 and 16.16.0. The issue arises from insufficient sanitization of user-supplied content when creating or editing notes, allowing arbitrary HTML or JavaScript to be stored and later executed in the context of other users who view the note. [1]
Exploitation
An attacker with authenticated access to the Frappe application can craft a note containing malicious script or HTML. When another user views the affected note in their browser, the injected payload executes, enabling a range of client-side attacks. No additional user interaction beyond viewing the note is required. [1]
Impact
Successful exploitation allows an attacker to perform actions on behalf of the victim within the Frappe session, including data exfiltration, session hijacking, or UI modification. The impact is limited to the affected user's session and permissions within the application, but may lead to further compromise depending on the victim's privileges. [1]
Mitigation
The vulnerability has been patched in Frappe versions 15.106.0 and 16.16.0, released on the same date as this advisory. Updating to these or later versions resolves the issue. No workarounds are available. [1]
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
20d50e002f09bfix(note): force sanitization in notes
1 file changed · +1 −0
frappe/desk/doctype/note/note.py+1 −0 modified@@ -36,6 +36,7 @@ def validate(self): if not self.content: self.content = "<span></span>" + self.content = frappe.utils.sanitize_html(self.content, always_sanitize=True) def before_print(self, settings=None): self.print_heading = self.name
0f5a3c549e73chore(release): Bumped to Version 15.106.0
1 file changed · +1 −1
frappe/__init__.py+1 −1 modified@@ -51,7 +51,7 @@ ) from .utils.lazy_loader import lazy_import -__version__ = "15.105.0" +__version__ = "15.106.0" __title__ = "Frappe Framework" # This if block is never executed when running the code. It is only used for
Vulnerability mechanics
Root cause
"Missing HTML sanitization on the Note content field allows stored XSS."
Attack vector
An attacker with permission to create or edit a Note can inject arbitrary HTML or JavaScript into the `content` field. Because the content was stored unsanitized and later rendered in a browser context, the injected script executes in the context of any user who views the Note. This is a stored cross-site scripting (XSS) vulnerability triggered by simply viewing the malicious Note.
Affected code
The vulnerability exists in the Note doctype's `validate` method in `frappe/desk/doctype/note/note.py` [patch_id=5722708]. The `content` field was stored without sanitization, allowing arbitrary HTML to be persisted.
What the fix does
The patch adds a single line in the `validate` method of `note.py` [patch_id=5722708]: `self.content = frappe.utils.sanitize_html(self.content, always_sanitize=True)`. This forces sanitization of the Note's content on every save, stripping dangerous HTML tags and attributes before the content is stored. The `always_sanitize=True` parameter ensures sanitization is applied regardless of any other configuration.
Preconditions
- authAttacker must have permission to create or edit a Note doctype record in Frappe.
- inputA victim user must view the malicious Note in the Frappe UI.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.