Medium severity6.1NVD Advisory· Published Apr 2, 2026· Updated Apr 7, 2026
CVE-2026-34606
CVE-2026-34606
Description
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.
Affected products
1Patches
1b8283860a7f0https://github.com/frappe/lmsvia nvd-ref
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/frappe/lms/commit/b8283860a7f029ea2fa0245131c398c079088921nvdPatch
- github.com/frappe/lms/pull/2185nvdIssue TrackingPatch
- github.com/frappe/lms/security/advisories/GHSA-qf5w-r34q-c7j2nvdVendor Advisory
- github.com/frappe/lms/releases/tag/v2.48.0nvdProductRelease Notes
News mentions
41- The Good, the Bad and the Ugly in Cybersecurity – Week 20SentinelOne Labs · May 15, 2026
- Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student dataThe Register Security · May 14, 2026
- Cisco to fire 4,000 staff and generously give them free training – on CiscoThe Register Security · May 14, 2026
- Rapid7 Partner Academy: Driving Impact with Gold Stevie Award-Winning Partner Services CertificationsRapid7 Blog · May 13, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- Microsoft May 2026 Patch Tuesday, (Tue, May 12th)SANS Internet Storm Center · May 12, 2026
- Instructure took a risky approach to recover stolen Canvas dataHelp Net Security · May 12, 2026
- Deal Reached With Hackers to Delete Data Stolen From the Canvas Educational PlatformSecurityWeek · May 12, 2026
- State-sponsored actors, better known as the friends you don’t wantCisco Talos Intelligence · May 12, 2026
- Instructure reaches 'agreement' with ShinyHunters to stop data leakBleepingComputer · May 12, 2026
- Double Canvas breach acknowledged as ShinyHunters sets new pay-or-leak deadlineThe Register Security · May 11, 2026
- 11th May – Threat Intelligence ReportCheck Point Research · May 11, 2026
- Canvas System Is Online After a Cyberattack Disrupted Thousands of SchoolsSecurityWeek · May 11, 2026
- Why the approaching flood of vulnerabilities changes everything — and what to do about itTenable Blog · May 8, 2026
- Rapid7 and OpenAI: Helping Defenders Move at Machine SpeedRapid7 Blog · May 7, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)Wordfence Blog · May 7, 2026
- How Cloudflare responded to the “Copy Fail” Linux vulnerabilityCloudflare Blog · May 7, 2026
- Instructure Breach Exposes Schools' Vendor DependenceDark Reading · May 6, 2026
- 1 in 8 employees totally cool with selling work credentialsThe Register Security · May 6, 2026
- Millions of students’ personal data stolen in major education breachMalwarebytes Labs · May 6, 2026
- Insights into the clustering and reuse of phone numbers in scam emailsCisco Talos Intelligence · May 6, 2026
- Hacker Conversations: Joey Melo on Hacking AISecurityWeek · May 5, 2026
- Edu tech firm Instructure discloses cyber incident, probes impactBleepingComputer · May 1, 2026
- Code Orange: Fail Small is complete. The result is a stronger Cloudflare networkCloudflare Blog · May 1, 2026
- Open-source privacy proxy masks PII before prompts reach external AI servicesHelp Net Security · May 1, 2026
- The never-ending supply chain attacks worm into SAP npm packages, other dev toolsThe Register Security · Apr 30, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026)Wordfence Blog · Apr 30, 2026
- Scam-checking just got a lot easier: Malwarebytes is now in ClaudeMalwarebytes Labs · Apr 29, 2026
- AI-powered honeypots: Turning the tables on malicious AI agentsCisco Talos Intelligence · Apr 29, 2026
- As the NVD scales back CVE enrichment, here’s what Tenable customers need to knowTenable Blog · Apr 27, 2026
- It pays to be a forever studentCisco Talos Intelligence · Apr 23, 2026
- Five steps to become Mythos readyTenable Blog · Apr 23, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026
- Automation at Machine Speed: Rethinking Execution in Modern CybersecuritySentinelOne Labs · Apr 20, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)Wordfence Blog · Apr 16, 2026
- Cloudflare’s AI Platform: an inference layer designed for agentsCloudflare Blog · Apr 16, 2026
- Building the foundation for running extra-large language modelsCloudflare Blog · Apr 16, 2026
- The n8n n8mare: How threat actors are misusing AI workflow automationCisco Talos Intelligence · Apr 15, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026)Wordfence Blog · Apr 2, 2026
- Protecting education: How MDR can tip the balance in favor of schoolsESET WeLiveSecurity · Mar 4, 2026
- Defending Against China-Nexus Covert Networks of Compromised DevicesCISA Alerts