VYPR
researchPublished Jun 24, 2026· Updated Jun 30, 2026· 1 source

Frappe Framework 17.0.0-dev: Seven XSS Vulnerabilities Disclosed Together

Key findings • Seven XSS vulnerabilities disclosed together in Frappe Framework 17.0.0-dev on June 24, 2026. • Vulnerabilities affect multiple UI components including Tree View, Number Cards,…

Key findings

  • Seven XSS vulnerabilities disclosed together in Frappe Framework 17.0.0-dev on June 24, 2026.
  • Vulnerabilities affect multiple UI components including Tree View, Number Cards, Notifications, File View, and avatars.
  • All issues stem from improper neutralization of user-controlled input.
  • The disclosure window of only one hour suggests a coordinated reporting of related flaws.

On June 24, 2026, a batch of seven cross-site scripting (XSS) vulnerabilities was disclosed in the Frappe Framework, affecting version 17.0.0-dev. These vulnerabilities, all discovered and reported on the same day, highlight potential risks within the framework's user interface rendering components. The disclosures collectively point to a pattern of improper input neutralization, allowing attackers to inject malicious scripts into various parts of the application.

The vulnerabilities span several components within the Frappe Framework:

  • Tree View and File View: CVE-2026-50712 and CVE-2026-50704 specifically target the rendering of node labels in the Tree View and breadcrumbs in the File View, respectively. Both are susceptible to stored XSS due to inadequate handling of user-supplied data.
  • Number Card and Notifications: CVE-2026-50711 affects the Number Card component's filter fields, while CVE-2026-50709 impacts the rendering of colors in the Notifications > Events panel. Both issues stem from improper neutralization of input.
  • Dialogs and Avatars: CVE-2026-50708 points to a stored XSS vulnerability in the MultiSelectDialog component's result rendering. Additionally, CVE-2026-50700 involves stored XSS in the frappe.get_avatar function, affecting image rendering.
  • Dashboard View: CVE-2026-50701 is a reflected DOM XSS vulnerability found in the dashboard-view component's breadcrumb rendering.

All reported vulnerabilities affect Frappe Framework version 17.0.0-dev. The consistent nature of these XSS flaws, all disclosed within a one-hour window, suggests a systemic issue with input sanitization in this development version. Users of Frappe Framework should exercise caution and ensure they are not running the vulnerable 17.0.0-dev version. As these vulnerabilities were disclosed together, it is likely that patches or updated versions addressing these issues have been or will be released promptly by the Frappe team. Staying updated with the latest stable releases is crucial for mitigating such risks.

Synthesized by Vypr AI