Skip to main content

Frappe LMS CVE-2026-39405

| EUVDEUVD-2026-31177 CRITICAL
Path Traversal (CWE-22)
2026-05-20 GitHub_M
9.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 20, 2026 - 21:32 EUVD
Source Code Evidence Fetched
May 20, 2026 - 20:30 vuln.today
Analysis Generated
May 20, 2026 - 20:30 vuln.today
CVSS changed
May 20, 2026 - 20:22 NVD
9.4 (CRITICAL)

DescriptionGitHub Advisory

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in version 2.50.1.

AnalysisAI

Path traversal in Frappe Learning Management System (LMS) versions 2.50.0 and below allows authenticated users with course-editing privileges to write arbitrary files outside the intended upload directory by uploading a maliciously crafted SCORM ZIP package. The CVSS 4.0 base score of 9.4 reflects high impact across confidentiality, integrity, and availability with scope change to subsequent systems, though exploitation requires low-privileged authentication. No public exploit identified at time of analysis.

Technical ContextAI

Frappe LMS is an open-source learning management platform built on the Frappe framework, commonly deployed for online course delivery and content structuring. The flaw is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, 'Path Traversal') triggered during the SCORM (Sharable Content Object Reference Model) package import workflow. SCORM packages are ZIP archives containing course assets, and Frappe LMS unpacks them server-side. The vulnerable code failed to sanitize entry names within the archive, permitting '../' sequences or absolute paths (a 'Zip Slip'-class issue) so attacker-controlled files land outside the SCORM extraction directory on the application server. Affected product per CPE is cpe:2.3:a:frappe:lms with the fix landing in the upstream repository via PR #2274 (backported in #2275).

RemediationAI

Vendor-released patch: upgrade to Frappe LMS v2.50.1, which includes the path-traversal fix backported via PR #2275 (https://github.com/frappe/lms/releases/tag/v2.50.1); see the GHSA advisory at https://github.com/frappe/lms/security/advisories/GHSA-mxh7-g3r7-g96h for details. If immediate upgrade is not possible, restrict the course-editor role to a minimal, trusted set of accounts and audit existing course-editor membership to reduce the pool of users who can reach the vulnerable SCORM upload path; this trades off operational friction during content authoring. As an additional compensating control, disable or block access to the SCORM import endpoint at a reverse proxy or WAF until patching is complete, accepting that instructors will be unable to upload SCORM content during that window; monitor application file-system writes outside the configured SCORM extraction directory for evidence of attempted exploitation.

Share

CVE-2026-39405 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy