CVE-2026-46546
Description
Frappe LMS versions prior to 2.53.0 are vulnerable to HTML injection, allowing authenticated users to redirect visitors to malicious sites via crafted metadata.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Frappe LMS versions prior to 2.53.0 are vulnerable to HTML injection, allowing authenticated users to redirect visitors to malicious sites via crafted metadata.
Vulnerability
Prior to version 2.53.0, Frappe Learning Management System (LMS) is susceptible to an HTML injection vulnerability. An authenticated user can insert specially crafted content into user-editable fields. When this content is rendered in page metadata, it can trigger a browser navigation to an attacker-controlled URL [1].
Exploitation
An attacker must first be authenticated to the Frappe LMS. They can then inject malicious HTML into specific user-editable fields. When a visitor views a page where this crafted content is displayed in the metadata, their browser will be redirected to a URL specified by the attacker [1].
Impact
Successful exploitation allows an attacker to redirect visitors to arbitrary URLs. This can lead to phishing attacks, drive-by downloads, or other malicious activities, impacting the confidentiality and integrity of the user's browsing session.
Mitigation
The vulnerability has been patched in Frappe LMS version 2.53.0. Users are advised to upgrade to this version or later. No workarounds are specified in the available references.
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <2.53.0
Patches
1859dd33af797chore(release): Bumped to Version 2.53.0
1 file changed · +1 −1
lms/__init__.py+1 −1 modified@@ -1 +1 @@ -__version__ = "2.52.1" +__version__ = "2.53.0"
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.