Primary

Context

Frappe Framework Stored Cross-Site Scripting Vulnerability in Tag Pill Renderer

Vulnerability

A stored cross-site scripting vulnerability has been identified in Frappe Framework version 16.10.0. This issue allows authenticated attackers to inject malicious JavaScript into tag values, which is executed when the tags are viewed in a report. The vulnerability arises because the tag content is rendered into HTML without proper escaping, enabling the execution of injected scripts.

Impact

Exploitation of this vulnerability allows for the injection and execution of malicious JavaScript in the context of the user viewing the report.

Reproduction

To reproduce this vulnerability, an authenticated user can store a crafted tag value that includes JavaScript. Once the tag is saved, the user can open the report view where the tags are displayed. If 'Show Tags' is enabled in the list settings, the injected JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Added: Apr 22, 2026, 8:20 PM

Updated: Apr 22, 2026, 8:20 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.5

remediation

0.0

relevance

6.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.5

remediation

0.0

relevance

6.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Frappe Framework Stored Cross-Site Scripting Vulnerability in Tag Pill Renderer

Vulnerability

Impact

Reproduction

Affected Products

Frappe

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating