Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-50709— Frappe Framework 17.0.0-dev - Stored XSS in Notifications Events color rendering

AI Predicted 6.1 Difficulty: Easy EPSS 0.24% · P15

Affected Version Matrix 1

VendorProductVersion RangeStatus
FrappeFrappe Framework17.0.0-devaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-50709

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Frappe Framework 17.0.0-dev - Stored XSS in Notifications Events color rendering
Source: NVD (National Vulnerability Database)
Vulnerability Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications > Events panel.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Frappe Framework 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Frappe Frappe Framework是印度Frappe公司的一款全栈Web开发框架。 Frappe Framework 17.0.0-dev版本存在跨站脚本漏洞,该漏洞源于对Notifications > Events面板中用户控制输入的中和不当,可能导致存储型跨站脚本(XSS)攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
FrappeFrappe Framework 17.0.0-dev -

II. Public POCs for CVE-2026-50709

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-50709

登录查看更多情报信息。

Proof of Concept for CVE-2026-50709 (1)

Same Patch Batch · Frappe · 2026-06-24 · 12 CVEs total

CVE-2026-50703Frappe Framework 17.0.0-dev - Stored XSS in Desktop Icon label rendering
CVE-2026-50700Frappe Framework 17.0.0-dev - Stored XSS in frappe.get_avatar image rendering
CVE-2026-50711Frappe Framework 17.0.0-dev - Stored XSS in Number Card filter fields rendering
CVE-2026-50705Frappe Framework 17.0.0-dev - Stored XSS in Form Dashboard headline rendering
CVE-2026-50701Frappe Framework 17.0.0-dev - Reflected DOM XSS in dashboard-view breadcrumb rendering
CVE-2026-50699Frappe Framework 17.0.0-dev - Stored XSS in Auto Repeat dashboard schedule rendering
CVE-2026-50698Frappe Framework 17.0.0-dev - Stored XSS in Audit Trail template rendering
CVE-2026-50704Frappe Framework 17.0.0-dev - Reflected/Stored XSS in File View breadcrumbs rendering
CVE-2026-50712Frappe Framework 17.0.0-dev - Stored XSS in Tree View node label rendering
CVE-2026-50710Frappe Framework 17.0.0-dev - Stored XSS via eval in Number Card filters_config
CVE-2026-50708Frappe Framework 17.0.0-dev - Stored XSS in Multi Select Dialog result rendering

IV. Related Vulnerabilities

V. Comments for CVE-2026-50709

No comments yet


Leave a comment