Frappe Framework 17.0.0-dev - Reflected DOM XSS in dashboard-view breadcrumb rendering
5.1
Medium
Detected by
Fluid Attacks AI SAST Scanner
Disclosed by
Oscar Uribe
Summary
Full name
Frappe Framework 17.0.0-dev - Reflected DOM XSS in dashboard-view breadcrumb rendering
Code name
State
Public
Release date
Affected product
Frappe Framework
Vendor
Frappe
Affected version(s)
17.0.0-dev
Vulnerability name
Reflected cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS v4.0 base score
5.1
Exploit available
Yes
CVE ID(s)
Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component. The breadcrumb generation logic reads route data directly from the browser URL and injects it into the page without performing adequate output encoding or sanitization.
A specially crafted URL can contain malicious HTML or JavaScript within a route segment. The router decodes the attacker-controlled segment and passes it to the breadcrumb rendering logic. Subsequently, set_dashboard_breadcrumb() inserts the value into the DOM through jQuery HTML parsing, causing the injected content to be interpreted as active markup rather than plain text.
An attacker can exploit this vulnerability by enticing a victim to visit a crafted URL. Successful exploitation results in arbitrary JavaScript execution in the context of the victim's session, potentially leading to session hijacking, unauthorized actions, data disclosure, or other impacts associated with reflected cross-site scripting vulnerabilities.
Vulnerability
Case A: reflected XSS via dashboard-view/<payload> route segment
Source: attacker-controlled route segment in URL path.
Propagation:
frappe.router.parse()splits route and appliesdecodeURIComponentviadecode_component.decoded value is available in
frappe.get_route()[1].
Sink:
set_dashboard_breadcrumb()builds HTML using template literal with unescapeddocnameand appends via jQuery:$(`<li><a href="${dashboard_route}">${__(docname)}</a></li>`).appendTo(...)
Impact: injected HTML is parsed and event handlers execute (reflected DOM XSS).
Relevant code:
frappe/frappe/public/js/frappe/router.js:154-158frappe/frappe/public/js/frappe/router.js:568-570frappe/frappe/public/js/frappe/views/breadcrumbs.js:84-87frappe/frappe/public/js/frappe/views/breadcrumbs.js:253-257
PoC
Browser URL PoC
Open while authenticated in Desk:
Non-dialog deterministic payload:
Expected result:
JavaScript executes from the injected breadcrumb node.
Evidence of Exploitation
Static evidence:
Our security policy
We have reserved the ID CVE-2026-50701 to refer to this issue from now on.
System Information
Frappe Framework
Version 17.0.0-dev
Operating System: Any
References
Github Repository: https://github.com/frappe/frappe
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.
Timeline
Vulnerability discovered
Vendor contacted
Vendor replied
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
