Frappe Framework 17.0.0-dev - Stored XSS in Audit Trail template rendering
4,6
Medium
Detected by
Fluid Attacks AI SAST Scanner
Disclosed by
Oscar Uribe
Summary
Full name
Frappe Framework 17.0.0-dev - Stored XSS in Audit Trail template rendering
Code name
State
Public
Release date
Affected product
Frappe Framework
Vendor
Frappe
Affected version(s)
17.0.0-dev
Vulnerability name
Stored cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS v4.0 base score
4.6
Exploit available
Yes
CVE ID(s)
Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component. The application renders audit diff values using microtemplates and appends the resulting content directly into the Desk DOM, allowing attacker-controlled data stored in audit records to be interpreted as active HTML or JavaScript when viewed by other users.
Both rendering paths are unsafe:
Changed fields / updated rows (
audit_trail.html)Rows added / rows removed (
audit_trail_rows_added_removed.html)
Both are inserted with jQuery .appendTo(...) without HTML escaping.
Vulnerability
Case A: changed-fields path (render_changed_fields)
Source persistence:
A tracked + submittable document chain (
original -> amended) stores a malicious compared value.
Server propagation:
compare_document()returnschanged/row_changedfromget_diff(...).
Client rendering:
render_changed_fields()->frappe.render_template("audit_trail", render_dict).audit_trail.htmluses raw<td>{{ value }}</td>.
Sink:
$(rendered_html).appendTo(frm.fields_dict.version_table.$wrapper.empty()).
Impact:
HTML is parsed as DOM and handler attributes execute.
Case B: rows-added/rows-removed path (render_rows_added_or_removed)
Source persistence:
Attacker-controlled child-row value is stored in amended document.
Server propagation:
compare_document()->get_rows_added_removed_grid()/filter_fields_for_gridview()returns child values inadded/removed.
Client rendering:
render_rows_added_or_removed()->frappe.render_template("audit_trail_rows_added_removed", section_dict).audit_trail_rows_added_removed.htmluses raw<td>{{ added_or_removed[...] }}</td>.
Sink:
$(rendered_html).appendTo(frm.fields_dict[key].$wrapper.empty())(line 117).
Impact:
Injected HTML executes in Audit Trail view.
Relevant code:
frappe/frappe/core/doctype/audit_trail/audit_trail.js:91-99frappe/frappe/core/doctype/audit_trail/audit_trail.js:103-119frappe/frappe/core/doctype/audit_trail/audit_trail.html:29frappe/frappe/core/doctype/audit_trail/audit_trail_rows_added_removed.html:24frappe/frappe/core/doctype/audit_trail/audit_trail.py:52-71
PoC
URL to open
GUI trigger A (changed-fields)
Open
Audit Trailform.Set
DocTypeto:
Set
Documentto:
Click
Compare.
Expected result:
Fields Changedrenders injected HTML.JavaScript executes.
Payload used:
GUI trigger B (rows-added / line 117 path)
Open
Audit Trailform.Set
DocTypeto:
Set
Documentto:
Click
Compare.
Expected result:
Rows Addedtable renders injected child-row HTML.JavaScript executes.
Payload used in child table:
Evidence of Exploitation
Static evidence
Our security policy
We have reserved the ID CVE-2026-50698 to refer to this issue from now on.
System Information
Frappe Framework
Version 17.0.0-dev
Operating System: Any
References
Github Repository: https://github.com/frappe/frappe
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.
Timeline
Vulnerability discovered
Vendor contacted
Vendor replied
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
