CVE-2026-23497
📋 TL;DR
Frappe LMS versions 2.44.0 and earlier contain a stored cross-site scripting (XSS) vulnerability where attackers can upload specially crafted image filenames containing malicious JavaScript. When these images are rendered on course or jobs pages, the JavaScript executes in victims' browsers. This affects all users of vulnerable Frappe LMS instances.
💻 Affected Systems
- Frappe Learning Management System
📦 What is this software?
Learning by Frappe
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect users to malicious sites, or deploy malware through the compromised LMS instance.
Likely Case
Attackers with upload privileges could inject malicious scripts that steal user credentials or session tokens when other users view affected pages.
If Mitigated
With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires ability to upload images, which typically requires some level of access. The advisory includes technical details that could be weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit e7ccf0a711d0e0ab5e6b28b7a1e4e0510b6b9543
Vendor Advisory: https://github.com/frappe/lms/security/advisories/GHSA-78mq-3whw-69j5
Restart Required: No
Instructions:
1. Update Frappe LMS to version containing commit e7ccf0a711d0e0ab5e6b28b7a1e4e0510b6b9543 or later. 2. Apply the security patch that adds proper filename sanitization. 3. Verify the fix by testing image upload functionality.
🔧 Temporary Workarounds
Disable image uploads
allTemporarily disable image upload functionality until patching is complete
Implement WAF rules
allAdd web application firewall rules to block malicious filenames containing JavaScript patterns
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Enable file upload validation to reject filenames containing special characters or script patterns
🔍 How to Verify
Check if Vulnerable:
Check if Frappe LMS version is 2.44.0 or earlier and test by attempting to upload an image with a filename containing JavaScript codeCheck Version:
Check Frappe LMS version in admin panel or via system configurationVerify Fix Applied:
After patching, attempt to upload an image with malicious filename and verify it's either rejected or properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual image uploads with suspicious filenames containing script tags or JavaScript code
- Multiple failed upload attempts with special characters in filenames
Network Indicators:
- HTTP requests with filenames containing script patterns in upload endpoints
- Unusual outbound connections from LMS pages
SIEM Query:
source="frappe_lms" AND (filename="*<script>*" OR filename="*javascript:*" OR filename="*onerror=*" OR filename="*onload=*")