Frappe Framework 17.0.0-dev - Stored XSS in Multi Select Dialog result rendering
4,8
Medium
Detected by
Fluid Attacks AI SAST Scanner
Disclosed by
Oscar Uribe
Summary
Full name
Frappe Framework 17.0.0-dev - Stored XSS in Multi Select Dialog result rendering
Code name
State
Public
Release date
Affected product
Frappe Framework
Vendor
Frappe
Affected version(s)
17.0.0-dev
Vulnerability name
Stored cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS v4.0 base score
4.8
Exploit available
Yes
CVE ID(s)
Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component. Search results returned from the server are rendered by interpolating raw field values into an HTML template string without adequate escaping or sanitization.
The vulnerable template places field values in both HTML body and attribute contexts, including title, data-item-name, and link href attributes. The resulting markup is parsed through jQuery HTML constructors and appended to the dialog's result list. An attacker with write access to a searchable DocType can store a crafted payload that executes when another user opens the affected dialog.
Vulnerability
Case A: attribute injection from search_widget results into dialog rows
Source persistence: attacker-controlled record fields are stored in DB (validated with
Event.subject).Server propagation:
frappe.desk.search.search_widgetreturns rows fromfrappe.get_list(..., as_dict=True)with no HTML escaping.Client interpolation:
MultiSelectDialog.make_list_rowinjects unescaped values in multiple contexts, including:<span class="ellipsis result-row" title="${result[column]}">...<input ... data-item-name="${result.name}"><div ... data-item-name="${result.name}">
Sink: the string is parsed via jQuery
$(<div ...>...)me.$results.append(...)
Impact: quote-breaking payloads can inject event handlers (
onmouseenter, etc.) and execute JavaScript in victim Desk sessions.
Case B
The additional report focused on render_result_list line 517 is the same source→sink chain:
res.message(fromfrappe.desk.search.search_widget) is iterated inrender_result_list.Each
resultis passed tomake_list_row(result), where unescaped interpolation happens in HTML/attribute contexts.The generated node is inserted with:
me.$results.append(me.make_list_row(result));
This is not a separate CVE; it is the same stored XSS in
MultiSelectDialogrendering.
Relevant code:
frappe/frappe/public/js/frappe/form/multi_select_dialog.js:454-517frappe/frappe/public/js/frappe/form/multi_select_dialog.js:498-518frappe/frappe/public/js/frappe/form/multi_select_dialog.js:588-595frappe/frappe/desk/search.py:67-252
PoC
URL trigger PoC
Create a record that appears in
search_widgetresults (validated withEvent) and set payload in a searchable text field:
Open Desk while authenticated:
In the same tab, execute this URL in the address bar:
Expected result:
Browser executes injected JavaScript (
alert(document.domain)).
Evidence of Exploitation
Static evidence
Our security policy
We have reserved the ID CVE-2026-50708 to refer to this issue from now on.
System Information
Frappe Framework
Version 17.0.0-dev
Operating System: Any
References
Github Repository: https://github.com/frappe/frappe
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.
Timeline
Vulnerability discovered
Vendor contacted
Vendor replied
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
