CVE-2026-50699
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk23th percentile — higher than 23% of all known CVEs
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document, leading to script execution when users open the affected Auto Repeat form.
Risk Assessment
This vulnerability may allow malicious code execution in users' browsers, posing risks of data theft or session hijacking. Organizations should be aware of the potential security implications.
Recommendation
It is recommended to update Frappe Framework to the latest version to mitigate this vulnerability. Additionally, access to the Auto Repeat feature should be restricted to trusted users.
Original NVD description (English source)
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users open the affected Auto Repeat form.

