This vulnerability in Frappe Framework 17.0.0-dev allows an authenticated user with write permissions on the Auto Repeat feature to persist malicious HTML or JavaScript in the reference_document field. The injection occurs through a whitelisted write path, enabling stored XSS that triggers script execution when other users open the affected Auto Repeat form. The CVSS 4.6 score reflects network attack vector, low attack complexity, and required privileges with user interaction. No vendor advisory or patch is currently available.

Successful exploitation allows an attacker with authenticated write access to inject and execute arbitrary scripts in the context of users viewing the Auto Repeat form. This can lead to session hijacking, unauthorized actions, or other client-side impacts depending on the injected payload. The vulnerability requires authentication and user interaction to trigger, limiting its impact scope.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict write access to the Auto Repeat feature to trusted users only and consider additional input validation or sanitization controls on the reference_document field if possible.