Is there a public PoC exploit available for CVE-2025-11281?

Yes, a public proof-of-concept exploit is available for CVE-2025-11281. Prioritise patching immediately. EPSS: 0.0%.

Frappe LMS CVE-2025-11281

Q: What is the CVSS score of CVE-2025-11281?

CVE-2025-11281 has a CVSS 4.0 base score of 1.3 (Low). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Incorrect Privilege Assignment (CWE-266)

2025-10-05 cna@vuldb.com

Information Disclosure Learning

1.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.3 LOW

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:51 vuln.today

DescriptionCVE.org

A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. You should upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.

AnalysisAI

Frappe LMS 2.35.0 contains improper access controls in the Unpublished Course Handler component at the /courses/ endpoint that allows authenticated remote attackers to access unauthorized information. The vulnerability requires high attack complexity and authenticated access, limiting real-world exploitation despite publicly available exploit code. CVSS 1.3 and EPSS 0.04% (11th percentile) indicate low practical risk despite public POC availability.

Technical ContextAI

Frappe LMS is a learning management system built on the Frappe framework. The vulnerability affects the Unpublished Course Handler, a component responsible for managing course access controls. The root cause is classified as CWE-266 (Improper Privilege Management), indicating the vulnerability stems from insufficient authorization checks when accessing unpublished course resources via the /courses/ endpoint. The flaw allows authenticated users to bypass intended access restrictions on course materials not intended for their access level, resulting in information disclosure rather than code execution or system compromise.

RemediationAI

Upgrade Frappe LMS to a version released after 2.35.0. The vendor confirmed fixes were implemented but release notes do not specify the patched version; contact Frappe directly or monitor GitHub releases for the next version after 2.35.0. As an interim compensating control, restrict access to the /courses/ endpoint using application-level role-based access controls or a WAF rule to enforce that only course instructors and administrators can access unpublished course resources. However, this workaround may impact legitimate administrative access to draft content, so testing in a non-production environment is essential before deployment.

CVE-2025-11281 vulnerability details – vuln.today

Back