Description
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in version 2.50.1.
Published: 2026-05-20
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a path traversal flaw in the Frappe Learning Management System that allows a user with course editing privileges to upload a SCORM ZIP package that extracts files outside the intended directory, thereby enabling arbitrary file creation or overwrite. The impact is the ability to write files to any location supported by the file system, which can be used to place malicious files in critical directories or web‑root directories, potentially leading to remote code execution or data tampering. The flaw is classified as CWE‑22, a classic directory traversal weakness.

Affected Systems

Affected vendor is Frappe, product LMS. Versions 2.50.0 and all prior releases are vulnerable. Version 2.50.1 and later contain the fix.

Risk and Exploitability

The CVSS score of 9.4 signifies a critical severity. With no EPSS score available and no listing in KEV, this flaw remains a high‑risk, serious vulnerability for environments that use the affected LMS. Attackers would need to be authenticated and possess the course editing role, but once that condition is met they can craft a malicious SCORM archive to bypass directory restrictions. Given the authentication requirement, the risk of accidental exploitation is lower, but a compromised account poses a severe threat.

Generated by OpenCVE AI on May 20, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe LMS to version 2.50.1 or later to apply the vendor patch that restricts SCORM extraction to the intended directory.
  • Restrict the course editing role to trusted users only, ensuring that only authorized staff can upload and manage course content.
  • If upgrading is delayed, implement input validation on uploaded SCORM packages: strip or reject any paths containing '..' or absolute paths before extraction to prevent traversal attempts.

Generated by OpenCVE AI on May 20, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe lms
Vendors & Products Frappe
Frappe lms

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in version 2.50.1.
Title Frappe has Path Transversal via SCORM
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Frappe Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T19:34:17.498Z

Reserved: 2026-04-07T00:23:30.594Z

Link: CVE-2026-39405

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:39.697

Modified: 2026-05-20T20:16:39.697

Link: CVE-2026-39405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T22:30:40Z

Weaknesses