Which versions of Frappe LMS are affected by CVE-2026-39405?

Frappe LMS deployments remain exposed to a critical file-injection risk where course administrators can exploit SCORM package uploads to place malicious files anywhere on the server, threatening…. A patch is available.

Frappe LMS CVE-2026-39405

Q: What is the CVSS score of CVE-2026-39405?

CVE-2026-39405 has a CVSS 4.0 base score of 9.4 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-31177 CRITICAL

Path Traversal (CWE-22)

2026-05-20 GitHub_M

Path Traversal

9.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 20, 2026 - 21:32 EUVD

Source Code Evidence Fetched

May 20, 2026 - 20:30 vuln.today

Analysis Generated

May 20, 2026 - 20:30 vuln.today

CVSS changed

May 20, 2026 - 20:22 NVD

9.4 (CRITICAL)

DescriptionNVD

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in version 2.50.1.

AnalysisAI

Path traversal in Frappe Learning Management System (LMS) versions 2.50.0 and below allows authenticated users with course-editing privileges to write arbitrary files outside the intended upload directory by uploading a maliciously crafted SCORM ZIP package. The CVSS 4.0 base score of 9.4 reflects high impact across confidentiality, integrity, and availability with scope change to subsequent systems, though exploitation requires low-privileged authentication. …

RemediationAI

Within 24 hours: Audit Frappe LMS 2.50.0 and below instances and immediately revoke course-editing privileges except for essential trusted administrators. Within 7 days: Implement SCORM package validation, file upload restrictions, and comprehensive audit logging on file system operations. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39405 vulnerability details – vuln.today

Back

Frappe LMS CVE-2026-39405

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Frappe LMS CVE-2026-39405

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code