Lms
by Frappe
Source repositories
CVEs (43)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-11282 | Low | 0.16 | 2.4 | 0.00 | Oct 5, 2025 | A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made… | ||
| CVE-2026-46546 | Low | 0.07 | — | 0.00 | Jun 10, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors'… | ||
| CVE-2026-30882 | 0.00 | — | 0.00 | Mar 16, 2026 | Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without any… | |||
| CVE-2026-30881 | 0.00 | — | 0.00 | Mar 16, 2026 | Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although… | |||
| CVE-2026-29041 | 0.00 | — | 0.01 | Mar 6, 2026 | Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads… | |||
| CVE-2026-26977 | 0.00 | — | 0.00 | Feb 20, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release. | |||
| CVE-2026-26031 | 0.00 | — | 0.00 | Feb 11, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students (by email) in batches. This… | |||
| CVE-2025-69581 | 0.00 | — | 0.00 | Jan 16, 2026 | An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on… | |||
| CVE-2026-23497 | 0.00 | — | 0.00 | Jan 14, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages. | |||
| CVE-2025-67734 | 0.00 | — | 0.00 | Dec 12, 2025 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script… | |||
| CVE-2025-67730 | 0.00 | — | 0.00 | Dec 12, 2025 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in… | |||
| CVE-2025-66581 | 0.00 | — | 0.00 | Dec 5, 2025 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the… | |||
| CVE-2025-65676 | 0.00 | — | 0.00 | Nov 26, 2025 | Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images. | |||
| CVE-2025-65675 | 0.00 | — | 0.00 | Nov 26, 2025 | Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures. | |||
| CVE-2025-64707 | 0.00 | — | 0.00 | Nov 12, 2025 | Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring… | |||
| CVE-2025-64705 | 0.00 | — | 0.00 | Nov 12, 2025 | Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and… | |||
| CVE-2025-62779 | 0.00 | — | 0.00 | Oct 27, 2025 | Frappe Learning is a learning system that helps users structure their content. In Frappe Learning 2.39.1 and earlier, users were able to add HTML through input fields in the Job Form. | |||
| CVE-2025-62778 | 0.00 | — | 0.00 | Oct 27, 2025 | Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL. | |||
| CVE-2025-62158 | 0.00 | — | 0.00 | Oct 10, 2025 | Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public.… | |||
| CVE-2025-59415 | 0.00 | — | 0.00 | Sep 17, 2025 | Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be… |
- risk 0.16cvss 2.4epss 0.00
A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made…
- risk 0.07cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors'…
- CVE-2026-30882Mar 16, 2026risk 0.00cvss —epss 0.00
Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without any…
- CVE-2026-30881Mar 16, 2026risk 0.00cvss —epss 0.00
Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although…
- CVE-2026-29041Mar 6, 2026risk 0.00cvss —epss 0.01
Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads…
- CVE-2026-26977Feb 20, 2026risk 0.00cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release.
- CVE-2026-26031Feb 11, 2026risk 0.00cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students (by email) in batches. This…
- CVE-2025-69581Jan 16, 2026risk 0.00cvss —epss 0.00
An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on…
- CVE-2026-23497Jan 14, 2026risk 0.00cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages.
- CVE-2025-67734Dec 12, 2025risk 0.00cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script…
- CVE-2025-67730Dec 12, 2025risk 0.00cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in…
- CVE-2025-66581Dec 5, 2025risk 0.00cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the…
- CVE-2025-65676Nov 26, 2025risk 0.00cvss —epss 0.00
Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images.
- CVE-2025-65675Nov 26, 2025risk 0.00cvss —epss 0.00
Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures.
- CVE-2025-64707Nov 12, 2025risk 0.00cvss —epss 0.00
Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring…
- CVE-2025-64705Nov 12, 2025risk 0.00cvss —epss 0.00
Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and…
- CVE-2025-62779Oct 27, 2025risk 0.00cvss —epss 0.00
Frappe Learning is a learning system that helps users structure their content. In Frappe Learning 2.39.1 and earlier, users were able to add HTML through input fields in the Job Form.
- CVE-2025-62778Oct 27, 2025risk 0.00cvss —epss 0.00
Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL.
- CVE-2025-62158Oct 10, 2025risk 0.00cvss —epss 0.00
Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public.…
- CVE-2025-59415Sep 17, 2025risk 0.00cvss —epss 0.00
Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be…
Page 2 of 3