Skip to main content

Lms CVE-2026-39415

| EUVDEUVD-2026-20603 MEDIUM
Client-Side Enforcement of Server-Side Security (CWE-602)
2026-04-08 GitHub_M
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.46.0
EUVD ID Assigned
Apr 08, 2026 - 20:46 euvd
EUVD-2026-20603
Analysis Generated
Apr 08, 2026 - 20:46 vuln.today
CVE Published
Apr 08, 2026 - 20:07 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated scores, which can be altered using browser developer tools prior to sending the submission request. While this does not allow modification of other users’ data or privilege escalation, it compromises the integrity of quiz results and undermines academic reliability. This issue affects data integrity but does not expose confidential information or allow unauthorized access to other accounts. This vulnerability is fixed in 2.46.0.

AnalysisAI

Frappe Learning Management System versions prior to 2.46.0 allow authenticated students to modify their own quiz scores via client-side manipulation using browser developer tools before submission. This vulnerability compromises the integrity of quiz results and academic reliability without enabling privilege escalation, unauthorized account access, or exposure of confidential information. The fix is available in version 2.46.0, and no public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

Frappe LMS implements quiz scoring logic on the client side, calculating scores in JavaScript before transmission to the server. This architecture violates the fundamental security principle of never trusting client-supplied data for security-critical calculations. CWE-602 (Client-Side Enforcement of Server-Side Security) describes this root cause: the application enforces data validation and integrity checks only on the client, where they can be circumvented by an authenticated user with access to browser developer tools (console, network inspection, DOM manipulation). The vulnerability affects all versions of the Frappe LMS package (cpe:2.3:a:frappe:lms:*:*:*:*:*:*:*:*) prior to 2.46.0, as the server-side code does not independently verify quiz scores before recording them.

RemediationAI

Upgrade Frappe LMS to version 2.46.0 or later to apply the vendor-released patch. The fix implements server-side validation and recalculation of quiz scores, ensuring that submitted scores are verified against the correct answers on the server before being recorded, eliminating the ability for students to manipulate client-side calculations. Organizations unable to upgrade immediately should implement compensating controls such as restricting quiz submissions to monitored testing environments, disabling browser developer tools on assessment terminals, or requiring instructor review of anomalous score submissions. For detailed patch information and guidance, refer to the official GitHub security advisory at https://github.com/frappe/lms/security/advisories/GHSA-9573-68xq-hwrx.

Share

CVE-2026-39415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy