CVE-2026-46546 Frappe LMS: HTML injection in user-controlled metadata

Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors' browsers to navigate to...

CVE-2026-39405

The vulnerability CVE-2026-39405 affects Frappe LMS. In versions 2.50.0 and earlier, a user with a course editing role could upload a SCORM ZIP package that allowed writing files outside the intended directory, constituting a path traversal risk. The issue has been fixed in version 2.50.1. The av...

Frappe Learning Management System 路径遍历漏洞

Frappe Learning Management System is an easy-to-use open-source learning management system developed by Frappe. Versions of the Frappe Learning Management System 2.50.0 and earlier had a path traversal vulnerability, which occurred when users uploaded SCORM ZIP packages, potentially leading files...

CVE-2026-34606 Stored XSS in Frappe LMS

Frappe Learning Management System LMS is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0...

CVE-2026-26977

Frappe Learning Management System LMS is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release...

CVE-2026-26977

Frappe Learning Management System (LMS)

PT-2026-20980

Frappe Learning Management System LMS is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release...

CVE-2026-26031 Frappe LMS affected by unauthorised user was able to access the full list of batch enrolled students

Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students by email in batches. This vulnerability is fixed ...

CVE-2026-26031 Frappe LMS affected by unauthorised user was able to access the full list of batch enrolled students

Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students by email in batches. This vulnerability is fixed ...

CVE-2026-23497

Frappe Learning Management System LMS is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages...

CVE-2026-23497 Frappe LMS has a Stored XSS via Unsanitized Image Filename in Course and Jobs Pages

Frappe Learning Management System LMS is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages...

CVE-2025-67734

Frappe Learning Management System LMS is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed i...

CVE-2025-67734

CVE-2025-67734 affects Frappe Learning Management System (LMS) prior to version 2.42.0. The vulnerability arises from the Company Website field in the Job Form, where an authenticated attacker can inject JavaScript, leading to a cross-site scripting (XSS) attack that executes in the browsers of u...

CVE-2025-67734 Frappe Authenticated Users can Execute JavaScript through its Job Form

Frappe Learning Management System LMS is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed i...

EUVD-2025-203120

Frappe Learning Management System LMS is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed i...

CVE-2025-67730

CVE-2025-67730 affects Frappe Learning Management System (LMS). Details across sources show that versions prior to 2.42.0 allow authenticated users to inject malicious HTML and JavaScript via description fields in the Job, Course, and Batch forms, leading to cross-site scripting (XSS). The issue ...

CVE-2025-66581 Frappe LMS is Missing Server-Side Authorization in Business Logic

Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints...

CVE-2025-66581 Frappe LMS is Missing Server-Side Authorization in Business Logic

Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints...

CVE-2025-64707 Frappe LMS revoking access did not show immediate effect as roles were cached

Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is...

CVE-2025-11282

A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could b...