Skip to main content

Lms EUVDEUVD-2026-18462

| CVE-2026-34606 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-02 GitHub_M
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.48.0
EUVD ID Assigned
Apr 02, 2026 - 18:15 euvd
EUVD-2026-18462
Analysis Generated
Apr 02, 2026 - 18:15 vuln.today
CVE Published
Apr 02, 2026 - 17:50 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.

AnalysisAI

Stored cross-site scripting (XSS) in Frappe Learning Management System versions 2.27.0 through 2.47.x allows unauthenticated remote attackers to inject and persist malicious scripts that execute in the browsers of other users. The vulnerability affects content structure functionality and has been patched in version 2.48.0. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

Frappe LMS is a web-based learning platform built on the Frappe framework that manages educational content and course structure. The vulnerability stems from improper input validation and output encoding in content handling mechanisms (CWE-79: Improper Neutralization of Input During Web Page Generation). The stored XSS flaw allows attackers to bypass input sanitization and inject malicious JavaScript that persists in the application database, affecting all users who subsequently view the compromised content. The affected product is identified by CPE cpe:2.3:a:frappe:lms:*:*:*:*:*:*:*:* covering all versions in the affected range.

RemediationAI

Vendor-released patch: Frappe LMS version 2.48.0 or later. Organizations should upgrade immediately by pulling the latest release from https://github.com/frappe/lms/releases/tag/v2.48.0 or by updating through their package management system. The patch implements proper input validation and output encoding across content structure fields, as documented in upstream pull request https://github.com/frappe/lms/pull/2185 and commit b8283860a7f029ea2fa0245131c398c079088921. No workarounds are available prior to patching; input validation at the application layer cannot fully compensate for a stored XSS in persistent content. Administrators should verify the upgrade by checking the installed version and reviewing server logs for any suspicious content modifications during the affected version timeframe.

Share

EUVD-2026-18462 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy