21 matches found
CVE-2023-42807
CVE-2023-42807 affects Frappe LMS prior to the latest main branch. The vulnerability is an SQL injection in the People Page of the LMS (versions 1.0.0 and earlier). Root cause: unsafely constructed SQL on the People Page allowing data extraction/manipulation. Impact: high across confidentiality, ...
CVE-2023-5555
CVE-2023-5555 is a Cross-site Scripting (XSS) vulnerability in Frappe LMS (frappe/lms) with XSS in the GitHub repository before 5614a6203fb7d438be8e2b1e3030e4528d170ec4. Connected sources identify the affected component as the LMS front-end/backend code handling user input such as search and tags...
CVE-2025-55006
CVE-2025-55006 affects Frappe LMS 2.34.x/2.35.0. The issue stems from an incomplete fix for CVE-2025-55006, enabling cross-site scripting via manipulated input. Remote exploitation is described as possible; an exploit has been made public per connected sources. A remediation is to upgrade to a ve...
CVE-2025-11282
CVE-2025-11282 affects Frappe LMS 2.34.x/2.35.0 due to an incomplete fix for CVE-2025-55006, enabling cross-site scripting via manipulated input. The vulnerability allows remote exploitation and an exploit has been publicized. The issue is linked to an unknown function in the affected component; ...
CVE-2025-62158
Summary: Frappe Learning prior to version 2.38.0 stored student assignment attachments as public files, enabling unauthenticated access via file URLs. The underlying issue is the exposure of uploaded files through public storage. Affected products/versions: Frappe Learning,
CVE-2025-59415
CVE-2025-59415 affects Frappe Learning, versions 2.34.1 and earlier, where profile bio content wasn’t properly sanitized. This allows malicious SVGs to execute scripts in other users’ contexts, per multiple sources. The vulnerability arises from inadequate content sanitization in profile bios. Re...
CVE-2026-26031
The CVE describes a privacy flaw in Frappe Learning Management System (LMS) prior to version 2.44.0, where unauthorised users could retrieve the full list of enrolled students (by email) in batches. Affected software is the Frappe LMS prior to 2.44.0; the root cause is not explicitly detailed in ...
CVE-2025-11283
CVE-2025-11283 affects Frappe LMS 2.35.0, specifically the Course Handler component. The vulnerability arises from manipulation of the Description argument in Course Handler, enabling cross-site scripting (XSS) via a remote attack. Public disclosures exist detailing the exploit. The recommended r...
CVE-2026-23497
CVE-2026-23497 affects Frappe Learning Management System (LMS) up to and including version 2.44.0, where a stored XSS vulnerability arises from unsanitized image filenames rendered on course and jobs pages. The root cause is image filename handling that allows malicious JavaScript execution. The ...
CVE-2026-26977
Frappe Learning Management System (LMS)
CVE-2025-62779
Frappe Learning
CVE-2025-64705
Frappe Learning version range 2.0.0–2.40.9 suffers an information-disclosure vulnerability where users could view submissions from other students due to improper access control and direct URL access. The issue is fixed in version 2.41.0 by enforcing proper roles and redirecting direct URL access....
CVE-2026-39415
CVE-2026-39415 affects Frappe LMS prior to 2.46.0, where quiz scores could be altered client-side before submission due to reliance on client-side calculated scores. Impact: data integrity of quiz results is compromised; no confidentiality breach or privilege escalation reported. Remediation: upg...
CVE-2025-11280
The CVE-2025-11280 vulnerability affects Frappe LMS 2.35.0, in the Assignment Picture Handler component’s /files/ area. It enables a remote, high-complexity manipulation of a direct request, with exploitability rated as difficult and the exploit published. Upgrade the affected component as remedi...
CVE-2025-11281
CVE-2025-11281 affects Frappe LMS 2.35.0 and involves an unknown function in the /courses/ path of the Unpublished Course Handler, leading to improper access controls. The issue is exploitable remotely, with high attack complexity and low privileges required; exploitation is described as possible...
CVE-2025-62778
CVE-2025-62778 affects Frappe Learning (LMS) prior to version 2.39.1. The issue allows students to access the Quiz Form directly via URL, implying unauthorized access to quiz content. Root cause and impact details are stated in multiple sources but no exploit specifics are provided. Mitigation re...
CVE-2025-67730
CVE-2025-67730 affects Frappe Learning Management System (LMS). Details across sources show that versions prior to 2.42.0 allow authenticated users to inject malicious HTML and JavaScript via description fields in the Job, Course, and Batch forms, leading to cross-site scripting (XSS). The issue ...
CVE-2025-67734
CVE-2025-67734 affects Frappe Learning Management System (LMS) prior to version 2.42.0. The vulnerability arises from the Company Website field in the Job Form, where an authenticated attacker can inject JavaScript, leading to a cross-site scripting (XSS) attack that executes in the browsers of u...
CVE-2025-64707
Summary : CVE-2025-64707 affects Frappe Learning (LMS). From versions 2.0.0 up to and including 2.41.0, revoking a user’s role could be delayed in effect due to caching, meaning revoked permissions could persist briefly. This behavior has been fixed in version 2.41.0 by ensuring the cache is clea...
CVE-2025-66581
Frappe LMS (versions before 2.41.0) has a server-side authorization flaw where endpoints relied on client-side checks, allowing authenticated low-privilege users (e.g., students) to perform actions outside their roles via the API. The issue is fixed in 2.41.0. Affected component: server-side perm...
CVE-2026-34606
CVE-2026-34606 concerns Frappe LMS. The vulnerability is a stored XSS affecting Frappe LMS releases from version 2.27.0 up to 2.47.x (i.e., before 2.48.0). The issue has been patched in 2.48.0 . The provided sources do not supply exploit details, affected modules, or specific attack vectors beyon...