Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.
AnalysisAI
Stored cross-site scripting (XSS) in Frappe Learning Management System versions 2.27.0 through 2.47.x allows unauthenticated remote attackers to inject and persist malicious scripts that execute in the browsers of other users. The vulnerability affects content structure functionality and has been patched in version 2.48.0. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
Frappe LMS is a web-based learning platform built on the Frappe framework that manages educational content and course structure. The vulnerability stems from improper input validation and output encoding in content handling mechanisms (CWE-79: Improper Neutralization of Input During Web Page Generation). The stored XSS flaw allows attackers to bypass input sanitization and inject malicious JavaScript that persists in the application database, affecting all users who subsequently view the compromised content. The affected product is identified by CPE cpe:2.3:a:frappe:lms:*:*:*:*:*:*:*:* covering all versions in the affected range.
RemediationAI
Vendor-released patch: Frappe LMS version 2.48.0 or later. Organizations should upgrade immediately by pulling the latest release from https://github.com/frappe/lms/releases/tag/v2.48.0 or by updating through their package management system. The patch implements proper input validation and output encoding across content structure fields, as documented in upstream pull request https://github.com/frappe/lms/pull/2185 and commit b8283860a7f029ea2fa0245131c398c079088921. No workarounds are available prior to patching; input validation at the application layer cannot fully compensate for a stored XSS in persistent content. Administrators should verify the upgrade by checking the installed version and reviewing server logs for any suspicious content modifications during the affected version timeframe.
lms version <= LMS_011123 contains a Local File Disclosure vulnerability in File reading functionality in LMS module tha
Path traversal in Frappe Learning Management System (LMS) versions 2.50.0 and below allows authenticated users with cour
OS command injection in LMS (LAN Management System) before commit 9fcb4de allows authenticated adjacent attackers to exe
Error-based SQL injection in LMS (LAN Management System) before commit 4cb30a7 allows authenticated attackers to extract
Reflected Cross-Site Scripting in the designthemes LMS WordPress theme (versions 9.7 and earlier) allows unauthenticated
Frappe Learning Management System versions prior to 2.46.0 allow authenticated students to modify their own quiz scores
An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulner
Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitra
Metadata injection in Frappe LMS prior to version 2.53.0 enables authenticated users to embed crafted content into user-
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18462