XSS in Frappe Framework

CVE-2026-50703

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer.

Vulnerability class: XSS (Cross-Site Scripting)

Affected products

Frappe Framework — versions 17.0.0-dev

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

help@fluidattacks.com (third-party-advisory)
help@fluidattacks.com (product)