Stored XSS Vulnerability in Frappe Framework Affecting Web Applications
CVE-2026-53568

6.9MEDIUM

Key Information:

Vendor

Frappe

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-53568?

A stored Cross-Site Scripting (XSS) vulnerability exists in the Frappe Framework's Report and List View components, allowing attackers to inject malicious scripts. When a user accesses the affected Report or List, the injected script can execute within their browser session, posing significant security risks. Users are encouraged to upgrade to at least versions 15.107.2 or 16.17.4, where this vulnerability has been resolved.

Affected Version(s)

frappe < 15.107.2 < 15.107.2

frappe < 16.17.4 < 16.17.4

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.