Description
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages.
Published: 2026-01-14
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

Frappe Learning Management System allows user‑generated content. The vulnerability arises in versions 2.44.0 and earlier where an attacker can craft an image filename containing malicious JavaScript that is stored and later rendered within course or job pages. The stored XSS flaw can execute arbitrary script in the context of any user who views the page, potentially leading to credential theft, session hijacking or defacement.

Affected Systems

Vulnerable to Frappe LMS 2.44.0 and earlier, any deployment of the learning management system that permits image uploads for courses or job listings without proper filename sanitization. The attack can be triggered by legitimate administrators or users with upload permissions.

Risk and Exploitability

The CVSS score is 1.3, indicating low severity, and the EPSS score is under 1%, suggesting a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack requires uploading a malicious filename, which is typically restricted to users with upload privileges; the flaw is client‑side only and does not provide remote code execution on the server. Exploitation would require a user to view the affected pages, making it a relatively low‑risk asset but still worth addressing to prevent phishing and other XSS attacks.

Generated by OpenCVE AI on April 18, 2026 at 16:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Frappe LMS release that contains an image filename sanitization fix.
  • Implement a whitelist for allowed characters in image filenames and reject names containing script elements.
  • Restrict image upload capability to trusted users and enforce a strong Content Security Policy that disallows inline scripts.

Generated by OpenCVE AI on April 18, 2026 at 16:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe learning
CPEs cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:*
Vendors & Products Frappe learning
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Frappe frappe Lms
Vendors & Products Frappe
Frappe frappe
Frappe frappe Lms

Wed, 14 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
Description Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages.
Title Frappe LMS has a Stored XSS via Unsanitized Image Filename in Course and Jobs Pages
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U'}

Subscriptions

Frappe Frappe Frappe Lms Learning
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-14T21:15:21.105Z

Reserved: 2026-01-13T15:47:41.629Z

Link: CVE-2026-23497

cve-icon Vulnrichment

Updated: 2026-01-14T21:15:17.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T19:16:48.283

Modified: 2026-01-16T18:44:56.547

Link: CVE-2026-23497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses