CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/frappe/frappe/security/advisories/GHSA-vm63-r48g-7wqh	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:frappe:frappe::::::::
	cpe:2.3:a:frappe:frappe::::::::

History

09 Mar 2026, 19:05

Type	Values Removed	Values Added
References	~~() https://github.com/frappe/frappe/security/advisories/GHSA-vm63-r48g-7wqh -~~	() https://github.com/frappe/frappe/security/advisories/GHSA-vm63-r48g-7wqh - Vendor Advisory
CPE		cpe:2.3:a:frappe:frappe::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
First Time		Frappe frappe Frappe

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) Frappe es un framework de aplicación web full-stack. Antes de las versiones 16.11.0 y 15.102.0, un atacante puede establecer una URL de imagen manipulada que resulta en XSS cuando se muestra el avatar, y puede ser activado para otros usuarios a través de comentarios de páginas web. Este problema ha sido parcheado en las versiones 16.11.0 y 15.102.0.

05 Mar 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 21:16

Updated : 2026-03-09 19:05

NVD link : CVE-2026-28436

Mitre link : CVE-2026-28436

CVE.ORG link : CVE-2026-28436

JSON object : View

Products Affected

frappe

frappe

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-28436", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-05T21:16:22.180", "references": [{"url": "https://github.com/frappe/frappe/security/advisories/GHSA-vm63-r48g-7wqh", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0."}, {"lang": "es", "value": "Frappe es un framework de aplicaci\u00f3n web full-stack. Antes de las versiones 16.11.0 y 15.102.0, un atacante puede establecer una URL de imagen manipulada que resulta en XSS cuando se muestra el avatar, y puede ser activado para otros usuarios a trav\u00e9s de comentarios de p\u00e1ginas web. Este problema ha sido parcheado en las versiones 16.11.0 y 15.102.0."}], "lastModified": "2026-03-09T19:05:28.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B23BC56A-5135-4189-88C0-6BB88EA07E75", "versionEndExcluding": "15.102.0"}, {"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6800A8AA-7AE0-40E5-9F5E-0AB88285C0CC", "versionEndExcluding": "16.11.0", "versionStartIncluding": "16.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}