← Back
2026-03-05 20:21CVE-2026-28436GitHub_M
PUBLISHED5.2CWE-79

Frappe: Stored XSS in avatar_macro.html

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0.

Problem type

Affected products

frappe

frappe

< 16.11.0 - AFFECTED

< 15.102.0 - AFFECTED

References

https://github.com/frappe/frappe/security/advisories/GHSA-vm63-r48g-7wqh

https://github.com/frappe/frappe/security/advisories/GHSA-vm63-r48g-7wqh

x_refsource_CONFIRM

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-28436
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-28436",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-03-05T20:21:35.392Z",
    "dateReserved": "2026-02-27T15:54:05.139Z",
    "datePublished": "2026-03-05T20:21:35.392Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-03-05T20:21:35.392Z"
      },
      "title": "Frappe: Stored XSS in avatar_macro.html",
      "descriptions": [
        {
          "lang": "en",
          "value": "Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0."
        }
      ],
      "affected": [
        {
          "vendor": "frappe",
          "product": "frappe",
          "versions": [
            {
              "version": "< 16.11.0",
              "status": "affected"
            },
            {
              "version": "< 15.102.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/frappe/frappe/security/advisories/GHSA-vm63-r48g-7wqh",
          "name": "https://github.com/frappe/frappe/security/advisories/GHSA-vm63-r48g-7wqh",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    }
  }
}