📦 Learning
by Frappe
🔍 What is Learning?
Description coming soon...
🛡️ Security Overview
Click on a severity to filter vulnerabilities
⚠️ Known Vulnerabilities
Frappe LMS versions 2.44.0 and earlier contain a stored cross-site scripting (XSS) vulnerability where attackers can upload specially crafted image filenames containing malicious JavaScript. When thes...
This vulnerability allows authenticated attackers to inject malicious JavaScript into the Company Website field of the Job Form in Frappe LMS. When users view the compromised job posting, the script e...
Frappe LMS versions before 2.42.0 contain a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious HTML and JavaScript into description fields. This affect...
Frappe LMS versions before 2.41.0 have an authorization bypass vulnerability where authenticated users can perform actions beyond their assigned roles. The flaw occurs because server-side endpoints re...
CVE-2025-64707 is an access control vulnerability in Frappe Learning where role revocation isn't immediately effective due to caching issues. This allows users to retain privileges they should have lo...
CVE-2025-64705 is an information disclosure vulnerability in Frappe Learning Management System (LMS) that allows authenticated users to access other students' submissions. This affects all users of Fr...
Frappe Learning versions 2.39.1 and earlier contain a cross-site scripting (XSS) vulnerability where users can inject HTML through input fields in the Job Form. This allows attackers to execute arbitr...
Frappe Learning versions 2.39.1 and earlier contain a direct object reference vulnerability where students can access quiz forms by knowing the URL, bypassing intended access controls. This affects al...
Frappe Learning versions before 2.38.0 stored student-uploaded assignment attachments as public files, allowing anyone with the file URL to access them without authentication. This exposes potentially...
This vulnerability in Frappe LMS 2.35.0 allows attackers to bypass access controls on unpublished courses through the /courses/ endpoint. Attackers can potentially access restricted course content wit...
Frappe Learning versions 2.34.1 and below contain a cross-site scripting (XSS) vulnerability in profile bio content. Malicious SVG files uploaded to user profiles can execute arbitrary scripts in othe...
Frappe Learning versions 2.33.0 and below have an SVG upload vulnerability that allows attackers to upload malicious SVG files containing embedded JavaScript. When other users view these files, arbitr...