CVE-2026-28436 LOW

CVE-2026-28436: Frappe: Stored XSS in avatar_macro.html

Vendor Frappe
Product frappe
Weakness CWE-79 · XSS
Published March 5, 2026
Last update March 6, 2026
View on NVD All CVEs

CVSS base score

1.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 and 15.102.0.

Key dates

02Disclosure timeline

March 5, 2026 CVE published
March 6, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-25102 WordPress Yahoo BOSS Plugin <= 0.7 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-20120 Cisco Secure Email Gateway, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance Cross-Site Scripting Vulnerabilities CVE-2023-2328 Cross-site Scripting (XSS) - Generic in pimcore/pimcore CVE-2022-1418 Social Stickers <= 2.2.9 - Stored Cross-Site Scripting via CSRF CVE-2022-20647 Cisco Security Manager Cross-Site Scripting Vulnerabilities