Stored XSS Vulnerability in Frappe Web Application Framework
CVE-2026-44205

6.9MEDIUM

Key Information:

Vendor

Frappe

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-44205?

Frappe, a full-stack web application framework, has a stored Cross-Site Scripting (XSS) vulnerability present in the user profile image section. This flaw allows attackers to inject and execute malicious scripts within the browsers of unsuspecting users. The vulnerability is addressed in version 15.106.0, which provides a crucial patch to enhance user security and prevent potential exploitation.

Affected Version(s)

frappe < 15.106.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.