CVE-2026-28436
Published: 05 March 2026
Summary
CVE-2026-28436 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Frappe Frappe. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public Frappe web app directly enables remote exploitation of the application (T1190) and arbitrary JavaScript execution in user browsers when avatars/comments are viewed (T1059.007).
NVD Description
Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website…
more
page comments. This issue has been patched in versions 16.11.0 and 15.102.0.
Deeper analysisAI
CVE-2026-28436 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Frappe full-stack web application framework. It affects versions prior to 16.11.0 and 15.102.0, where an attacker can set a crafted image URL that triggers XSS when the avatar is displayed.
The vulnerability enables an unauthenticated attacker (PR:N) to exploit it remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), earning a CVSS v3.1 base score of 7.2 due to changed scope (S:C) and low impacts on confidentiality and integrity (C:L/I:L/A:N). By crafting a malicious image URL, the attacker can cause XSS execution for other users when they view website page comments displaying the affected avatar.
Frappe has addressed this issue in versions 16.11.0 and 15.102.0. Additional mitigation details are available in the security advisory at https://github.com/frappe/frappe/security/advisories/GHSA-vm63-r48g-7wqh.
Details
- CWE(s)