Frappe, Cross-site Scripting (XSS), CVE-2026-28436 (MEDIUM)

Listen to this Post

The vulnerability stems from improper sanitization of user-supplied image URLs within the Frappe framework. An attacker can inject malicious JavaScript code into the URL field used for avatar images. Specifically, they craft a URL containing an XSS payload, such as `javascript:alert(document.cookie)` or a data URI with embedded script. When the Frappe application renders an avatar using the `avatar_macro.html` template, it directly uses this unsanitized URL in the `src` attribute of an `` tag, or in some contexts, as an argument to a JavaScript function that sets the image source. Because the input is not validated or escaped, the browser interprets the malicious portion of the URL. For a stored/persistent XSS attack, the attacker saves this crafted URL as their avatar. Subsequently, any other user who views a page containing that user’s avatar—for example, in website comments—will trigger the malicious script. The script executes in the context of the victim’s browser, allowing the attacker to potentially steal session cookies, perform actions on behalf of the user, or deface the website. This issue is patched in Frappe versions 16.11.0 and 15.102.0 by implementing proper input validation and output encoding for avatar URLs .
Platform: Frappe
Version: <16.11.0, <15.102.0
Vulnerability: Stored XSS
Severity: MEDIUM
date: 2026-03-05

Prediction: Patch expected immediately

What Undercode Say:

Analytics:

  • CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
  • EPSS Score: 0.03% (as of 2026-03-05)
  • Patch Availability: Yes, in versions 16.11.0 and 15.102.0.
  • Detection Command:
    Check installed Frappe version
    bench --version | grep Frappe
    Or, if using pip
    pip show frappe | grep Version
    
  • Vulnerable Code Pattern Search:
    Search for the avatar macro which might contain the vulnerable code
    grep -r "avatar_macro.html" --include=".py" --include=".html" .
    Look for unsanitized URL usage in image tags within that file
    cat frappe/templates/includes/avatar_macro.html | grep -i "src="
    

How Exploit:

  • Malicious Avatar URL: An attacker sets their profile image URL to a malicious string. Example payloads:
    <!-- Basic XSS via javascript: protocol (if allowed) -->
    javascript:alert('XSS')
    <!-- XSS via data URI -->
    data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
    <!-- XSS via an event handler if the URL is placed in an attribute -->
    " onerror="alert('XSS')" "
    
  • Triggering the Payload: The attacker saves their profile. Any victim visiting a page with the attacker’s avatar (e.g., a comment section) will have the script executed automatically in their browser.

Protection from this CVE

  • Immediate Patch:
    Upgrade Frappe to the patched version
    bench update --upgrade
    Or, if using pip
    pip install --upgrade frappe>=16.11.0
    
  • Mitigation (if patching is not immediate):
  • Implement a Web Application Firewall (WAF) rule to filter out malicious patterns (e.g., javascript:, data:, onerror=) from URL parameters.
  • Manually sanitize and validate all user-supplied URLs at the application level, ensuring they use a safe protocol (like `https://`) and do not contain executable code.
  • Apply output encoding for the `src` attribute in templates.

Impact:

  • Confidentiality: An attacker can steal session cookies or other sensitive data from the victim’s browser, leading to account takeover.
  • Integrity: The attacker can modify content on the page as the victim, post on their behalf, or deface the website.
  • Availability: The attack can be used to redirect the user to malicious sites or crash their browser session.
  • Scope: The attack is stored, meaning it affects any user who views the compromised avatar, not just the attacker.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top