Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in version 2.50.1.
AnalysisAI
Path traversal in Frappe Learning Management System (LMS) versions 2.50.0 and below allows authenticated users with course-editing privileges to write arbitrary files outside the intended upload directory by uploading a maliciously crafted SCORM ZIP package. The CVSS 4.0 base score of 9.4 reflects high impact across confidentiality, integrity, and availability with scope change to subsequent systems, though exploitation requires low-privileged authentication. No public exploit identified at time of analysis.
Technical ContextAI
Frappe LMS is an open-source learning management platform built on the Frappe framework, commonly deployed for online course delivery and content structuring. The flaw is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, 'Path Traversal') triggered during the SCORM (Sharable Content Object Reference Model) package import workflow. SCORM packages are ZIP archives containing course assets, and Frappe LMS unpacks them server-side. The vulnerable code failed to sanitize entry names within the archive, permitting '../' sequences or absolute paths (a 'Zip Slip'-class issue) so attacker-controlled files land outside the SCORM extraction directory on the application server. Affected product per CPE is cpe:2.3:a:frappe:lms with the fix landing in the upstream repository via PR #2274 (backported in #2275).
RemediationAI
Vendor-released patch: upgrade to Frappe LMS v2.50.1, which includes the path-traversal fix backported via PR #2275 (https://github.com/frappe/lms/releases/tag/v2.50.1); see the GHSA advisory at https://github.com/frappe/lms/security/advisories/GHSA-mxh7-g3r7-g96h for details. If immediate upgrade is not possible, restrict the course-editor role to a minimal, trusted set of accounts and audit existing course-editor membership to reduce the pool of users who can reach the vulnerable SCORM upload path; this trades off operational friction during content authoring. As an additional compensating control, disable or block access to the SCORM import endpoint at a reverse proxy or WAF until patching is complete, accepting that instructors will be unable to upload SCORM content during that window; monitor application file-system writes outside the configured SCORM extraction directory for evidence of attempted exploitation.
lms version <= LMS_011123 contains a Local File Disclosure vulnerability in File reading functionality in LMS module tha
OS command injection in LMS (LAN Management System) before commit 9fcb4de allows authenticated adjacent attackers to exe
Error-based SQL injection in LMS (LAN Management System) before commit 4cb30a7 allows authenticated attackers to extract
Reflected Cross-Site Scripting in the designthemes LMS WordPress theme (versions 9.7 and earlier) allows unauthenticated
Stored cross-site scripting (XSS) in Frappe Learning Management System versions 2.27.0 through 2.47.x allows unauthentic
Frappe Learning Management System versions prior to 2.46.0 allow authenticated students to modify their own quiz scores
An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulner
Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitra
Metadata injection in Frappe LMS prior to version 2.53.0 enables authenticated users to embed crafted content into user-
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31177