Description
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated scores, which can be altered using browser developer tools prior to sending the submission request. While this does not allow modification of other users’ data or privilege escalation, it compromises the integrity of quiz results and undermines academic reliability. This issue affects data integrity but does not expose confidential information or allow unauthorized access to other accounts. This vulnerability is fixed in 2.46.0.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Integrity – Students can modify quiz scores before submission
Action: Update
AI Analysis

Impact

A flaw in the client‑side score calculation allows a user to alter the displayed score with browser developer tools before the quiz result is submitted. The altered score is accepted by the server, so the final record for that quiz contains the malicious value. The vulnerability does not permit access to other users’ data or raise privileges; it only undermines the accuracy of a single student’s results and weakens the overall academic reliability of the system.

Affected Systems

The vulnerability affects Frappe Learning Management System versions earlier than 2.46.0. Users running the cataloged LMS without an upgrade to the patched release are susceptible. No other vendors or products are affected.

Risk and Exploitability

The CVSS score of 5.3 denotes moderate overall risk. Exploitation requires only the ability to open a quiz page in a browser. An attacker can alter the score locally with minimal effort, so the likelihood of abuse among active users is high, though it does not grant any additional access or compromise confidential data. The vulnerability is not listed in the CISA KEV catalog, and no EPSS score is available, indicating limited public exploitation data but a realistic threat in environments where academic integrity matters.

Generated by OpenCVE AI on April 8, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe LMS to version 2.46.0 or later.

Generated by OpenCVE AI on April 8, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe lms
Vendors & Products Frappe
Frappe lms

Wed, 08 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated scores, which can be altered using browser developer tools prior to sending the submission request. While this does not allow modification of other users’ data or privilege escalation, it compromises the integrity of quiz results and undermines academic reliability. This issue affects data integrity but does not expose confidential information or allow unauthorized access to other accounts. This vulnerability is fixed in 2.46.0.
Title Frappe Learning Management System has Client-Side Manipulation of Quiz Scores
Weaknesses CWE-602
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T13:52:12.103Z

Reserved: 2026-04-07T00:23:30.595Z

Link: CVE-2026-39415

cve-icon Vulnrichment

Updated: 2026-04-09T13:52:08.063Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T21:16:59.033

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39415

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:27Z

Weaknesses