Description
A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.
Severity (CVSS)
| Base score | 4.6 |
|---|---|
| Severity | Medium |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| Provided by | CNA |
Weaknesses
- CWE-79 — CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Affected products
| Vendor | Product | Versions |
|---|---|---|
| Frappe | Frappe Framework | 17.0.0-dev |
References
- https://fluidattacks.com/es/advisories/aterciopelados (third-party-advisory)
- https://github.com/frappe/frappe (product)
Generated from the official CVE List on 25 Jun 2026 10:14 UTC.