Frappe Framework 17.0.0-dev - Stored XSS in Tree View node label rendering

Description

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.ui.Tree component. Tree node labels are rendered using an HTML template that inserts node.label directly into the data-name attribute of an <a> element without attribute escaping.

An attacker can create or modify records whose names are later used as tree node labels. Because quotes are not blocked by Frappe's name validation, a crafted value can break out of the data-name attribute and inject arbitrary HTML attributes, including JavaScript event handlers such as onclick. When another user interacts with the affected tree node, attacker-controlled code may execute in the victim's browser.

The issue was validated using the built-in Customer Group tree, where the document name is derived from the user-controlled customer_group_name field.

Vulnerability

Case A: node.label attribute injection in Tree.make_icon_and_label

1. Source persistence:

   • Attacker stores a crafted tree-node name in the database.

   • In the validated PoC, Customer Group.customer_group_name produced the stored name value TreeXss" onclick="alert(1).

2. Server propagation:

   • The whitelisted tree API returns name as value and title in the response.

   • frappe.ui.Tree.add_node() maps data.value into label.

3. Sink:

   • make_icon_and_label() interpolates node.label directly into data-name="${node.label}" and appends the HTML with jQuery.

4. Impact:

   • The injected handler becomes part of the rendered tree node and executes when the victim clicks the node in Tree View.

Case B: node.title / get_node_label()

• The original report focused on node.title and get_node_label().

• That content path is also unescaped in tree.js:261-264.

• In particular, when node.title differs from node.label, the renderer returns:

  • __(node.title) + " <span class='text-muted'>(" + node.label + ")</span>"

• This means node.label is also injected into element HTML content, not only into the data-name attribute.

• As a result, Tree View has multiple unescaped client render paths for the same server-returned values (value / title).

• However, the end-to-end GUI validation for this advisory used the stronger attribute-injection path via node.label, which does not require raw HTML tags and works with quote characters alone.

Case C

• This is not limited to custom tree methods.

• The validated PoC used the built-in whitelisted method frappe.desk.treeview.get_children and a stock tree doctype (Customer Group) present in the environment.

• In this environment, Customer Group creation is allowed for the Sales Master Manager role, so the exploit path is not restricted to system administrators.

• The same root cause also covers other flows that can influence stored tree node names, including rename-capable tree doctypes, because the Tree UI trusts DB-backed name / title values from the server.

Relevant code:

• frappe/frappe/desk/treeview.py:50-53

• frappe/frappe/public/js/frappe/ui/tree.js:130-139

• frappe/frappe/public/js/frappe/ui/tree.js:257-265

• frappe/frappe/public/js/frappe/ui/tree.js:280-283

• frappe/frappe/model/naming.py:522-525

• frappe/frappe/model/base_document.py:1372-1394

PoC

GUI flow

1. Login to Desk at:

http://localhost:18080/desk

http://localhost:18080/desk

http://localhost:18080/desk

http://localhost:18080/desk

2. Store a tree node with the following name payload. In the validated environment, this was done by creating a Customer Group under All Customer Groups with:

customer_group_name: TreeXss" onclick="alert(1)

customer_group_name: TreeXss" onclick="alert(1)

customer_group_name: TreeXss" onclick="alert(1)

customer_group_name: TreeXss" onclick="alert(1)

3. Open:

http://localhost:18080/desk/customer-group/view/tree

http://localhost:18080/desk/customer-group/view/tree

http://localhost:18080/desk/customer-group/view/tree

http://localhost:18080/desk/customer-group/view/tree

4. Click the malicious tree node.

Expected result:

• The tree node anchor contains an injected onclick attribute.

• Clicking the node executes JavaScript in the victim's Desk session.

Evidence of Exploitation

• Static evidence:

  

Our security policy

We have reserved the ID CVE-2026-50712 to refer to this issue from now on.

System Information

• Frappe Framework

• Version 17.0.0-dev

• Operating System: Any

References

• Github Repository: https://github.com/frappe/frappe

• Security: https://github.com/frappe/frappe/security

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.