Learning
Sign in to watchby Frappe
Source repositories
CVEs (6)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34606 | Med | 0.33 | 6.1 | 0.00 | Apr 2, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0. | |
| CVE-2025-11281 | Med | 0.33 | 5.0 | 0.00 | Oct 5, 2025 | A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. You should upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | |
| CVE-2026-39415 | Med | 0.28 | 4.3 | 0.00 | Apr 8, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated scores, which can be altered using browser developer tools prior to sending the submission request. While this does not allow modification of other users’ data or privilege escalation, it compromises the integrity of quiz results and undermines academic reliability. This issue affects data integrity but does not expose confidential information or allow unauthorized access to other accounts. This vulnerability is fixed in 2.46.0. | |
| CVE-2025-11280 | Low | 0.24 | 3.7 | 0.00 | Oct 5, 2025 | A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | |
| CVE-2025-11283 | Low | 0.16 | 2.4 | 0.00 | Oct 5, 2025 | A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | |
| CVE-2025-11282 | Low | 0.16 | 2.4 | 0.00 | Oct 5, 2025 | A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. |