CVE-2026-28436

CVE Database · CVE-2026-28436

CVE-2026-28436

· HIGHAnalyzed

CVSS v3.1

7.2

CVSS v4.0

1.3

EPSS

0.17%

Published

Mar 5, 2026

Modified

Apr 28, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Weaknesses (CWE)

CWE-79

Affected Products (2)

frappe · frappe (up to 15.102.0)vulnerable

frappe · frappe (up to 16.11.0)vulnerable

References (1)

https://github.com/frappe/frappe/security/advisories/GHSA-vm63-r48g-7wqh

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs