Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53568

CVE-2026-53568: Frappe Framework Stored XSS Vulnerability

CVE-2026-53568 is a stored cross-site scripting vulnerability in Frappe Framework's Report/List View that enables attackers to inject malicious scripts. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-53568 Overview

CVE-2026-53568 is a stored cross-site scripting (XSS) vulnerability in Frappe, a full-stack web application framework. The flaw exists in the Report and List View components and allows attackers to persist malicious script content that executes in the browsers of users viewing affected reports or lists. The issue is tracked under CWE-79 and was disclosed via a GitHub Security Advisory. Frappe has patched the vulnerability in versions 15.107.2 and 16.17.4.

Critical Impact

Authenticated attackers can inject persistent scripts that execute in other users' sessions when they access Report or List Views, enabling session abuse, UI manipulation, and data exfiltration within the Frappe application context.

Affected Products

  • Frappe Framework versions prior to 15.107.2
  • Frappe Framework versions prior to 16.17.4
  • Applications built on the Frappe Framework that expose Report or List Views

Discovery Timeline

  • 2026-06-12 - CVE-2026-53568 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-53568

Vulnerability Analysis

The vulnerability is a stored cross-site scripting flaw in the Frappe Report View and List View components. Stored XSS occurs when user-supplied data is persisted by the server and later rendered to other users without adequate output encoding. In Frappe, Report and List Views render record fields and column metadata that can be controlled by lower-privileged users. When these values contain HTML or JavaScript payloads, the views render them as active content in the browsers of all users who load the affected view.

The attack vector is network-based and requires no user interaction beyond viewing the affected list or report. Because Frappe powers ERPNext and other multi-tenant business applications, exploitation can target high-privilege users such as system managers, allowing the attacker to perform actions in the victim's session.

Root Cause

The root cause is insufficient sanitization or output encoding of user-controlled field values within the Report/List View rendering path. Field data persisted to the database is later interpolated into the DOM in a context where it is interpreted as markup rather than text, allowing arbitrary <script> or event-handler payloads to execute.

Attack Vector

An authenticated user with permission to create or edit records storable in a list or report writes a payload containing JavaScript into a field that is later displayed in a Report or List View. When another user opens that view, the payload executes in their browser under the Frappe application origin. The advisory and patch details are documented in the Frappe GHSA-rx63-c3fh-8926 advisory.

Detection Methods for CVE-2026-53568

Indicators of Compromise

  • Record fields, document names, or report column values containing <script>, onerror=, onload=, or javascript: substrings.
  • Unexpected outbound requests from user browsers to attacker-controlled domains immediately after loading a Frappe Report or List View.
  • Creation of new System Manager or Administrator roles, API keys, or session tokens following access to a Report/List View by a privileged user.

Detection Strategies

  • Query the Frappe database for stored field values that contain HTML or JavaScript tokens in user-editable DocTypes.
  • Inspect web server and application logs for GET requests to /app/*/view/report and /app/*/view/list endpoints correlated with anomalous client-side activity.
  • Apply a Content Security Policy (CSP) in report-only mode to surface inline script execution violations that indicate injected payloads.

Monitoring Recommendations

  • Monitor changes to privileged user roles, API key generation events, and session creation patterns in Frappe audit logs.
  • Alert on browser-side CSP violation reports originating from Frappe application paths.
  • Track version inventory of Frappe deployments and flag instances running below 15.107.2 or 16.17.4.

How to Mitigate CVE-2026-53568

Immediate Actions Required

  • Upgrade Frappe to version 15.107.2 or 16.17.4 or later across all environments.
  • Audit existing records, custom fields, and saved reports for stored payloads and sanitize or remove suspicious content.
  • Rotate session secrets and API keys for privileged accounts that accessed Report or List Views before patching.

Patch Information

Frappe has released fixed versions 15.107.2 and 16.17.4. Administrators should upgrade using bench update or the appropriate container image tag. Patch details are published in the Frappe Security Advisory GHSA-rx63-c3fh-8926.

Workarounds

  • Restrict write permissions on DocTypes exposed through Report and List Views to trusted users until patching is complete.
  • Deploy a strict Content Security Policy that disallows inline scripts to reduce the impact of stored payloads.
  • Place the Frappe application behind a web application firewall with rules that block HTML/JavaScript markup in form submissions to user-editable fields.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne