CVE-2025-67730

MEDIUM

Frappe Learning < 2.42.0 - XSS

Title source: rule

Description

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0.

Exploits (1)

nomisec WRITEUP

by Dharan10 · poc

https://github.com/Dharan10/CVE-2025-67730

View Code ZIP pw:eip

References (2)

[Patch] https://github.com/frappe/lms/commit/0877e32e1bfe64831b875707241de1c449cda45c

[Vendor Advisory] https://github.com/frappe/lms/security/advisories/GHSA-jjc4-j3hw-33h2

Scores

CVSS v3 5.4

EPSS 0.0005

EPSS Percentile 16.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

frappe/learning 2.0.0 - 2.42.0

Published Dec 12, 2025

Tracked Since Feb 18, 2026