Description
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated scores, which can be altered using browser developer tools prior to sending the submission request. While this does not allow modification of other users’ data or privilege escalation, it compromises the integrity of quiz results and undermines academic reliability. This issue affects data integrity but does not expose confidential information or allow unauthorized access to other accounts. This vulnerability is fixed in 2.46.0.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Score Integrity
Action: Apply Patch
AI Analysis

Impact

The vulnerability in Frappe Learning Management System allows students to alter quiz scores before submission by modifying client-side calculations. This compromise affects the integrity of quiz results, but it does not expose confidential data, provide privilege escalation, or grant access to other users' accounts.

Affected Systems

The issue affects installations of Frappe Learning Management System before version 2.46.0. Users running any earlier release are susceptible to manipulating quiz scores through browser developer tools.

Risk and Exploitability

With a CVSS score of 5.3 and an EPSS score below 1 %, the risk is moderate and the likelihood of exploitation is low. The attack vector is local, requiring the victim to use browser tools to alter the score value before sending the submission. Because it is client‑side, no network compromise is necessary. The vulnerability is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation in the wild.

Generated by OpenCVE AI on April 13, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe LMS to version 2.46.0 or later.

Generated by OpenCVE AI on April 13, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Frappe learning
CPEs cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:*
Vendors & Products Frappe learning
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe lms
Vendors & Products Frappe
Frappe lms

Wed, 08 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated scores, which can be altered using browser developer tools prior to sending the submission request. While this does not allow modification of other users’ data or privilege escalation, it compromises the integrity of quiz results and undermines academic reliability. This issue affects data integrity but does not expose confidential information or allow unauthorized access to other accounts. This vulnerability is fixed in 2.46.0.
Title Frappe Learning Management System has Client-Side Manipulation of Quiz Scores
Weaknesses CWE-602
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Learning Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T13:52:12.103Z

Reserved: 2026-04-07T00:23:30.595Z

Link: CVE-2026-39415

cve-icon Vulnrichment

Updated: 2026-04-09T13:52:08.063Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T21:16:59.033

Modified: 2026-04-13T11:28:16.030

Link: CVE-2026-39415

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:25:02Z

Weaknesses