Description
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.
Published: 2026-04-02
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Patch Now
AI Analysis

Impact

A stored cross‑site scripting vulnerability was discovered in Frappe Learning Management System. The flaw allows an attacker to inject malicious script that is permanently saved to the system and later executed in a victim’s browser when they view the affected content. This can lead to arbitrary script execution and credential theft or session hijacking. The weakness corresponds to CWE‑79, which describes unsanitized user input leading to script execution.

Affected Systems

The vulnerability affects Frappe LMS versions from 2.27.0 up to but not including 2.48.0. All installations running those releases are susceptible, regardless of configuration, because the application does not properly sanitize inputs for stored content.

Risk and Exploitability

The CVSS base score of 6.9 places this issue in the medium to high impact range. The EPSS score is below 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, reducing the likelihood of active exploitation. Exploitation requires user interaction, such as an authenticated content creator or user with sufficient privileges inserting malicious payloads, and the attack vector is likely through the LMS content management interface.

Generated by OpenCVE AI on April 7, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe LMS to version 2.48.0 or later to apply the official patch.
  • Remove any legacy content that may contain previously injected malicious scripts to eliminate stored payloads.
  • Review and monitor LMS activity logs for anomalous content submissions or suspicious script execution patterns.

Generated by OpenCVE AI on April 7, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe learning
CPEs cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:*
Vendors & Products Frappe learning
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe lms
Vendors & Products Frappe
Frappe lms

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.
Title Stored XSS in Frappe LMS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Learning Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T13:02:34.097Z

Reserved: 2026-03-30T17:15:52.500Z

Link: CVE-2026-34606

cve-icon Vulnrichment

Updated: 2026-04-03T13:02:29.999Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:32.170

Modified: 2026-04-07T19:06:27.790

Link: CVE-2026-34606

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:55:27Z

Weaknesses