Stored XSS Vulnerability in Frappe Framework Affects Multiple Versions
CVE-2026-47739

6.9MEDIUM

Key Information:

Vendor

Frappe

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47739?

A stored Cross-Site Scripting (XSS) vulnerability was identified in the Frappe framework, which allows attackers to inject malicious scripts into the Note feature due to insufficient input sanitization. This issue affected users of versions prior to 15.106.0 and 16.16.0, potentially compromising user data and security. Frappe has addressed this vulnerability in the latest releases, underscoring the importance of keeping software up to date to mitigate security risks. For more information on this vulnerability, visit the official advisory.

Affected Version(s)

frappe < 15.106.0 < 15.106.0

frappe < 16.16.0 < 16.16.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.