Frappe Framework 17.0.0-dev - Stored XSS in Notifications Events color rendering
4.8
Medium
Detected by
Fluid Attacks AI SAST Scanner
Disclosed by
Oscar Uribe
Summary
Full name
Frappe Framework 17.0.0-dev - Stored XSS in Notifications Events color rendering
Code name
State
Public
Release date
Affected product
Frappe Framework
Vendor
Frappe
Affected version(s)
17.0.0-dev
Vulnerability name
Stored cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS v4.0 base score
4.8
Exploit available
Yes
CVE ID(s)
Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications > Events panel. Event data returned from the server is interpolated into an HTML template string and rendered using jQuery's .html() method without adequate escaping or sanitization.
The vulnerability arises because the Event.color field is inserted directly into an inline style attribute. An attacker with permission to create or modify Event records can store a crafted payload that breaks out of the attribute context and injects arbitrary HTML attributes, such as JavaScript event handlers. When another user opens the Events notifications panel and interacts with the affected entry, attacker-controlled code may execute in the victim's browser.
Vulnerability
Case A: Event.color attribute injection in notifications dropdown
Source persistence: attacker-controlled
Event.coloris stored in database.Server propagation:
frappe.desk.doctype.event.event.get_eventsreturnscolorusing SQLas_dict=True.Client interpolation:
EventsView.render_events_htmlinjects it in:<div class="event-border" style="border-color: ${event.color}"></div>
Sink: rendered string is inserted with
this.container.html(html).Impact: quote-breaking payload injects event-handler attributes and executes in victim Desk session.
Case B: non-primary claims
subjectis not the validated vector here. Runtime tests showed dangerous handlers are removed on save by document sanitization.nameis not attacker-controlled in normal Event flow (EV.#####autoname).avatar_grouppath is not active in this function because the code readsevent.particpants(typo) and participants are not returned in the current query.
Relevant code:
frappe/frappe/public/js/frappe/ui/notifications/notifications.js:422-489frappe/frappe/desk/doctype/event/event.py:335-417frappe/frappe/desk/doctype/event/event.json:373-383frappe/frappe/model/base_document.py:1356-1396
PoC
GUI flow
Login to Desk as a user that can create/edit
Event(defaultDesk Usercan write).Create a
Publicevent scheduled for today with statusOpen.Set
Colorto payload:
Save event.
Open
http://localhost:18080/desk.Open notifications (bell icon) and go to
Eventstab.Hover the event's left color bar (
.event-border).
Expected result:
JavaScript executes (
alert(document.domain)).
API check (optional)
Verify payload reaches source API unchanged for the current day:
Evidence of Exploitation
Video of exploitation
Our security policy
We have reserved the ID CVE-2026-50709 to refer to this issue from now on.
System Information
Frappe Framework
Version 17.0.0-dev
Operating System: Any
References
Github Repository: https://github.com/frappe/frappe
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.
Timeline
Vulnerability discovered
Vendor contacted
Vendor replied
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
