Frappe Lms
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Frappe Lms.
By the Year
In 2026 there have been 5 vulnerabilities in Frappe Lms. Last year, in 2025 Lms had 9 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Lms in 2026 could surpass last years number.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 5 | 0.00 |
| 2025 | 9 | 2.40 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 6.10 |
It may take a day or so for new Lms vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Frappe Lms Security Vulnerabilities
Frappe LMS <2.46.0: ClientSide Score Modification
CVE-2026-39415
- April 08, 2026
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated scores, which can be altered using browser developer tools prior to sending the submission request. While this does not allow modification of other users data or privilege escalation, it compromises the integrity of quiz results and undermines academic reliability. This issue affects data integrity but does not expose confidential information or allow unauthorized access to other accounts. This vulnerability is fixed in 2.46.0.
Client-Side Enforcement of Server-Side Security
Frappe LMS stored XSS 2.27.0-2.47.9 (fixed 2.48.0)
CVE-2026-34606
- April 02, 2026
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.
XSS
Unauthorized API Access in Frappe LMS 2.44.0 (before 2.45.0)
CVE-2026-26977
- February 20, 2026
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release.
AuthZ
Unauth Enum Enrolled Students via Batch in Frappe LMS <2.44.0
CVE-2026-26031
- February 11, 2026
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students (by email) in batches. This vulnerability is fixed in 2.44.0.
AuthZ
Stored XSS in Frappe LMS 2.44.0 via Image Filename
CVE-2026-23497
- January 14, 2026
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages.
XSS
Frappe LMS XSS via Company Website Field < 2.42.0
CVE-2025-67734
- December 12, 2025
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed in the browsers of users who opened the malicious job posting. This issue is fixed in version 2.42.0.
XSS
Frappe LMS <2.42.0 Authenticated XSS via Description Fields (CVE-2025-67730)
CVE-2025-67730
- December 12, 2025
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0.
XSS
CVE-2025-66581: Frappe LMS <2.41 Auth Bypass for Low-Priv Users
CVE-2025-66581
- December 05, 2025
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API's. This vulnerability is fixed in 2.41.0.
AuthZ
Frappe Learning 2.0-2.40.9 Role Revocation Delay via Cache (CVE-2025-64707)
CVE-2025-64707
- November 12, 2025
Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated.
AuthZ
Frappe Learning <2.41.0: Unauthorized VIEW Submissions
CVE-2025-64705
- November 12, 2025
Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and redirecting if accessed via direct URL.
Information Disclosure
"Frappe Learning 2.39.1 HTML Injection in Job Form (CVE-2025-62779)"
CVE-2025-62779
- October 27, 2025
Frappe Learning is a learning system that helps users structure their content. In Frappe Learning 2.39.1 and earlier, users were able to add HTML through input fields in the Job Form.
XSS
Frappe Learning <=2.39.1: Quiz Form Access Control Bypass
CVE-2025-62778
- October 27, 2025
Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL.
forced browsing
Frappe LMS XSS in Course Handler (2.35.0) via Description
CVE-2025-11283
2.4 - Low
- October 05, 2025
A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
XSS
XSS vuln in Frappe LMS 2.35.0 (CVE-2025-11282)
CVE-2025-11282
2.4 - Low
- October 05, 2025
A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
XSS
XSS in frappe LMS on GitHub before 5614a620
CVE-2023-5555
6.1 - Medium
- October 12, 2023
Cross-site Scripting (XSS) - Generic in GitHub repository frappe/lms prior to 5614a6203fb7d438be8e2b1e3030e4528d170ec4.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Frappe Lms or by Frappe? Click the Watch button to subscribe.
