Description
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors' browsers to navigate to an attacker-chosen URL. This issue has been patched in version 2.53.0.
Published: 2026-06-09
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Frappe Learning Management System allows an authenticated user to enter specially crafted content in certain editable fields that, when displayed in page metadata, causes a visitor’s browser to navigate to an attacker‑chosen URL. The flaw is an instance of HTML injection (CWE‑74) and can lead to phishing or malicious redirection of end users. The impact is limited to the browsers of users who view the affected pages; it does not allow remote code execution or compromise of the server itself.

Affected Systems

The vulnerability exists in Frappe LMS versions earlier than 2.53.0. Any installations of frappe:lms running a pre‑2.53.0 release are affected. Users of newer releases are not susceptible.

Risk and Exploitability

The CVSS score of 2.1 indicates low severity. No EPSS value is available, and the vulnerability is not listed in CISA KEV. Exploitation requires the attacker to be an authenticated user with author privileges and to navigate victim browsers to the manipulated content, making it moderate risk in environments where many users commonly view shared metadata.

Generated by OpenCVE AI on June 10, 2026 at 02:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe LMS to version 2.53.0 or later.
  • Limit editing of the vulnerable metadata fields to trusted users and sanitize input to strip dangerous markup.
  • Implement a content security policy restricting navigation from meta elements or blocking external URLs triggered by those fields.

Generated by OpenCVE AI on June 10, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe lms
Vendors & Products Frappe
Frappe lms

Wed, 10 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Description Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors' browsers to navigate to an attacker-chosen URL. This issue has been patched in version 2.53.0.
Title Frappe LMS: HTML injection in user-controlled metadata
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T23:54:06.037Z

Reserved: 2026-05-14T20:42:31.368Z

Link: CVE-2026-46546

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T01:16:28.110

Modified: 2026-06-10T01:16:28.110

Link: CVE-2026-46546

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:15:19Z

Weaknesses