Skip to main content

Frappe LMS CVE-2026-46546

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-09 GitHub_M
2.1
CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 10, 2026 - 03:01 vuln.today
CVSS changed
Jun 10, 2026 - 01:22 NVD
2.1 (LOW)
CVE Published
Jun 09, 2026 - 23:54 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors' browsers to navigate to an attacker-chosen URL. This issue has been patched in version 2.53.0.

AnalysisAI

Metadata injection in Frappe LMS prior to version 2.53.0 enables authenticated users to embed crafted content into user-editable fields that, when reflected in page metadata, silently redirects visiting users' browsers to an attacker-controlled URL. Exploitation requires a low-privilege account (PR:L) and passive victim interaction (UI:P) - a target must visit a page containing the poisoned content. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; its CVSS 4.0 score of 2.1 reflects genuinely low severity, though the redirect capability carries downstream phishing and credential-harvesting risk.

Technical ContextAI

The affected product is Frappe LMS, an open-source learning management system built on the Frappe framework (CPE: cpe:2.3:a:frappe:lms:*:*:*:*:*:*:*:*). CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - Injection) identifies the root cause class: user-supplied input is incorporated into page output - likely HTML metadata such as Open Graph tags, meta refresh directives, or canonical URL fields - without adequate sanitization or encoding. When a browser parses this metadata, it follows the attacker-planted URL rather than the intended destination. The attack is confined to the metadata layer rather than script injection, which explains the low CVSS impact scores (VI:L, VC:N) and the Information Disclosure tag, since the primary harm is enabling phishing rather than direct data exfiltration.

RemediationAI

Upgrade Frappe LMS to version 2.53.0, which contains the vendor-released patch for this vulnerability per the GitHub Security Advisory GHSA-2x47-gr9q-w6fv at https://github.com/frappe/lms/security/advisories/GHSA-2x47-gr9q-w6fv. If immediate upgrade is not feasible, a targeted compensating control is to audit and restrict which user roles can modify the specific user-editable fields involved in page metadata generation - for instance, limiting content creation to trusted instructor or admin roles rather than open self-registration. This reduces the attacker population but does not eliminate the vulnerability if any low-privilege users retain write access. There are no other workarounds identified in the available data; the restriction of self-registration is a partial mitigation with the trade-off of limiting platform openness.

Share

CVE-2026-46546 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy