Learning
by Frappe
Source repositories
CVEs (15)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-34606 | Med | 0.33 | 6.1 | 0.00 | Apr 2, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0. | ||
| CVE-2025-11281 | Med | 0.33 | 5.0 | 0.00 | Oct 5, 2025 | A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is… | ||
| CVE-2025-11280 | Low | 0.24 | 3.7 | 0.00 | Oct 5, 2025 | A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The… | ||
| CVE-2026-39415 | Med | 0.21 | 4.3 | 0.00 | Apr 8, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on… | ||
| CVE-2025-11283 | Low | 0.16 | 2.4 | 0.00 | Oct 5, 2025 | A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly… | ||
| CVE-2025-11282 | Low | 0.16 | 2.4 | 0.00 | Oct 5, 2025 | A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made… | ||
| CVE-2026-26031 | 0.00 | — | 0.00 | Feb 11, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students (by email) in batches. This… | |||
| CVE-2025-64707 | 0.00 | — | 0.00 | Nov 12, 2025 | Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring… | |||
| CVE-2025-64705 | 0.00 | — | 0.00 | Nov 12, 2025 | Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and… | |||
| CVE-2025-62779 | 0.00 | — | 0.00 | Oct 27, 2025 | Frappe Learning is a learning system that helps users structure their content. In Frappe Learning 2.39.1 and earlier, users were able to add HTML through input fields in the Job Form. | |||
| CVE-2025-62778 | 0.00 | — | 0.00 | Oct 27, 2025 | Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL. | |||
| CVE-2025-62158 | 0.00 | — | 0.00 | Oct 10, 2025 | Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public.… | |||
| CVE-2025-59415 | 0.00 | — | 0.00 | Sep 17, 2025 | Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be… | |||
| CVE-2025-55006 | 0.00 | — | 0.00 | Aug 9, 2025 | Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other potentially… | |||
| CVE-2019-15775 | 0.00 | — | 0.01 | Aug 29, 2019 | The nd-learning plugin before 4.8 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. |
- risk 0.33cvss 6.1epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.
- risk 0.33cvss 5.0epss 0.00
A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is…
- risk 0.24cvss 3.7epss 0.00
A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The…
- risk 0.21cvss 4.3epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on…
- risk 0.16cvss 2.4epss 0.00
A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly…
- risk 0.16cvss 2.4epss 0.00
A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made…
- CVE-2026-26031Feb 11, 2026risk 0.00cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students (by email) in batches. This…
- CVE-2025-64707Nov 12, 2025risk 0.00cvss —epss 0.00
Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring…
- CVE-2025-64705Nov 12, 2025risk 0.00cvss —epss 0.00
Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and…
- CVE-2025-62779Oct 27, 2025risk 0.00cvss —epss 0.00
Frappe Learning is a learning system that helps users structure their content. In Frappe Learning 2.39.1 and earlier, users were able to add HTML through input fields in the Job Form.
- CVE-2025-62778Oct 27, 2025risk 0.00cvss —epss 0.00
Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL.
- CVE-2025-62158Oct 10, 2025risk 0.00cvss —epss 0.00
Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public.…
- CVE-2025-59415Sep 17, 2025risk 0.00cvss —epss 0.00
Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be…
- CVE-2025-55006Aug 9, 2025risk 0.00cvss —epss 0.00
Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other potentially…
- CVE-2019-15775Aug 29, 2019risk 0.00cvss —epss 0.01
The nd-learning plugin before 4.8 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.