Unrated severityOSV Advisory· Published Jan 14, 2026· Updated Jan 14, 2026
Frappe LMS has a Stored XSS via Unsanitized Image Filename in Course and Jobs Pages
CVE-2026-23497
Description
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/frappe/lms/commit/e7ccf0a711d0e0ab5e6b28b7a1e4e0510b6b9543mitrex_refsource_MISC
- github.com/frappe/lms/security/advisories/GHSA-78mq-3whw-69j5mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.