Frappe LMS CVE-2026-46546
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (GitHub_M) · only source for this CVE.
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors' browsers to navigate to an attacker-chosen URL. This issue has been patched in version 2.53.0.
AnalysisAI
Metadata injection in Frappe LMS prior to version 2.53.0 enables authenticated users to embed crafted content into user-editable fields that, when reflected in page metadata, silently redirects visiting users' browsers to an attacker-controlled URL. Exploitation requires a low-privilege account (PR:L) and passive victim interaction (UI:P) - a target must visit a page containing the poisoned content. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; its CVSS 4.0 score of 2.1 reflects genuinely low severity, though the redirect capability carries downstream phishing and credential-harvesting risk.
Technical ContextAI
The affected product is Frappe LMS, an open-source learning management system built on the Frappe framework (CPE: cpe:2.3:a:frappe:lms:*:*:*:*:*:*:*:*). CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - Injection) identifies the root cause class: user-supplied input is incorporated into page output - likely HTML metadata such as Open Graph tags, meta refresh directives, or canonical URL fields - without adequate sanitization or encoding. When a browser parses this metadata, it follows the attacker-planted URL rather than the intended destination. The attack is confined to the metadata layer rather than script injection, which explains the low CVSS impact scores (VI:L, VC:N) and the Information Disclosure tag, since the primary harm is enabling phishing rather than direct data exfiltration.
RemediationAI
Upgrade Frappe LMS to version 2.53.0, which contains the vendor-released patch for this vulnerability per the GitHub Security Advisory GHSA-2x47-gr9q-w6fv at https://github.com/frappe/lms/security/advisories/GHSA-2x47-gr9q-w6fv. If immediate upgrade is not feasible, a targeted compensating control is to audit and restrict which user roles can modify the specific user-editable fields involved in page metadata generation - for instance, limiting content creation to trusted instructor or admin roles rather than open self-registration. This reduces the attacker population but does not eliminate the vulnerability if any low-privilege users retain write access. There are no other workarounds identified in the available data; the restriction of self-registration is a partial mitigation with the trade-off of limiting platform openness.
lms version <= LMS_011123 contains a Local File Disclosure vulnerability in File reading functionality in LMS module tha
Path traversal in Frappe Learning Management System (LMS) versions 2.50.0 and below allows authenticated users with cour
OS command injection in LMS (LAN Management System) before commit 9fcb4de allows authenticated adjacent attackers to exe
Error-based SQL injection in LMS (LAN Management System) before commit 4cb30a7 allows authenticated attackers to extract
Reflected Cross-Site Scripting in the designthemes LMS WordPress theme (versions 9.7 and earlier) allows unauthenticated
Stored cross-site scripting (XSS) in Frappe Learning Management System versions 2.27.0 through 2.47.x allows unauthentic
Frappe Learning Management System versions prior to 2.46.0 allow authenticated students to modify their own quiz scores
An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulner
Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitra
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today