VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-53568

CVE-2026-53568

Description

Stored XSS vulnerability in Frappe Report/List View allows malicious script injection, fixed in versions 15.107.2 and 16.17.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in Frappe Report/List View allows malicious script injection, fixed in versions 15.107.2 and 16.17.4.

Vulnerability

Frappe, a full-stack web application framework, contains a stored XSS vulnerability in its Report/List View feature. Affected versions are prior to 15.107.2 and 16.17.4. The vulnerability allows injection of arbitrary JavaScript through user-supplied data that is stored and later rendered without proper sanitization [1].

Exploitation

An attacker needs to have the ability to submit data that is displayed in a report or list view. No authentication is specified, but typically such views are used by authenticated users; however, the attacker may require at least write access to create or modify records. The stored payload is executed when a victim views the crafted report or list [1].

Impact

Successful exploitation leads to stored cross-site scripting (XSS), which can result in information disclosure, session hijacking, or arbitrary actions in the context of the victim’s browser. The impact is in the scope of the affected application's functionality [1].

Mitigation

The issue is patched in Frappe Framework versions 15.107.2 and 16.17.4 [1]. Users should update to these versions or later. No workarounds are available [1].

References
  1. Stored XSS in Frappe Report/List View.

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Frappe/Frappeinferred2 versions
    >=15.0,<15.107.2 || >=16.0,<16.17.4+ 1 more
    • (no CPE)range: >=15.0,<15.107.2 || >=16.0,<16.17.4
    • (no CPE)range: <16.17.4, <15.107.2

Patches

2
248ec905b55c

fix(report_view): link_title should be rendered as plain text

https://github.com/frappe/frappeAarDG10Apr 27, 2026Fixed in 15.107.2via llm-release-walk
commit
1 file changed · +2 2
  • frappe/public/js/frappe/views/reports/report_view.js+2 2 modified
    @@ -177,8 +177,8 @@ frappe.views.ReportView = class ReportView extends frappe.views.ListView {
 
 			// update visible DOM elements and cell tooltip
 			document.querySelectorAll(`a[data-name="${key}"]`).forEach((el) => {
-				if (el.innerHTML === link_title) return;
-				el.innerHTML = link_title;
+				if (el.textContent === link_title) return;
+				el.textContent = link_title;
 
 				$(el).closest(".dt-cell__content").attr("title", link_title);
 			});
6f78045ddb0b

fix(report_view): link_title should be rendered as plain text

https://github.com/frappe/frappeAarDG10Apr 27, 2026Fixed in 16.17.4via llm-release-walk
commit
1 file changed · +2 2
  • frappe/public/js/frappe/views/reports/report_view.js+2 2 modified
    @@ -162,8 +162,8 @@ frappe.views.ReportView = class ReportView extends frappe.views.ListView {
 
 			// update visible DOM elements and cell tooltip
 			document.querySelectorAll(`a[data-name="${key}"]`).forEach((el) => {
-				if (el.innerHTML === link_title) return;
-				el.innerHTML = link_title;
+				if (el.textContent === link_title) return;
+				el.textContent = link_title;
 
 				$(el).closest(".dt-cell__content").attr("title", link_title);
 			});

Vulnerability mechanics

Root cause

"Using `innerHTML` instead of `textContent` to set a link title allows HTML/JavaScript injection."

Attack vector

An attacker with the ability to create or modify data that appears as a link title in a Frappe Report or List View can inject arbitrary HTML/JavaScript. When a victim views the report, the unsanitized `link_title` is assigned via `innerHTML`, causing the browser to execute the injected script. This is a stored cross-site scripting (XSS) attack because the payload persists in the application data and triggers on every subsequent view of the affected report.

Affected code

The vulnerability resides in `frappe/public/js/frappe/views/reports/report_view.js` within the `ReportView` class. The code uses `el.innerHTML` to compare and set the `link_title` value on anchor elements, which allows HTML injection when `link_title` contains malicious markup. Both patches [patch_id=5723714] and [patch_id=5723715] target the same file and logic, differing only by the line offset in the two release branches.

What the fix does

Both patches replace `el.innerHTML` with `el.textContent` for both the comparison and the assignment of `link_title`. The `textContent` property treats the value as plain text, automatically escaping any HTML tags or JavaScript. This prevents an attacker from injecting executable markup through the link title field, closing the stored XSS vector.

Preconditions

  • authThe attacker must have the ability to create or modify a record whose link title is displayed in a Frappe Report or List View.
  • inputA victim user must navigate to the affected report or list view where the malicious link title is rendered.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.