CVE-2026-28436
Frappe: Stored XSS in avatar_macro.html
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0.
| CWE | CWE-79 |
| Vendor | frappe |
| Product | frappe |
| Published | Mar 5, 2026 |
| Last Updated | Mar 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for frappe frappe
Be the first to know when new unknown vulnerabilities affecting frappe frappe are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
frappe / frappe
< 16.11.0 < 15.102.0