CVE-2025-67730

MEDIUM

Frappe Learning Management System 2.0.0-2.41.9 - Stored XSS via Job Course and Batch Description

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-67730. PoCs published by Dharan10.

AI-analyzed exploit summary This repository contains a detailed writeup for CVE-2025-67730, a stored XSS vulnerability affecting Job, Course, and Batch description fields in an unspecified software. The PoC demonstrates how an authenticated attacker can inject malicious JavaScript payloads that execute in the context of other users' browsers.

Description

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0.

Exploits (1)

nomisec WRITEUP
by Dharan10 · poc
https://github.com/Dharan10/CVE-2025-67730

This repository contains a detailed writeup for CVE-2025-67730, a stored XSS vulnerability affecting Job, Course, and Batch description fields in an unspecified software. The PoC demonstrates how an authenticated attacker can inject malicious JavaScript payloads that execute in the context of other users' browsers.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Unspecified (likely a web application with Job/Course/Batch management features)
Auth required
Prerequisites: Authenticated user access · Ability to create/edit Job/Course/Batch entries
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 5.4
EPSS 0.0014
EPSS Percentile 4.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
frappe/learning 2.0.0 - 2.42.0
Published Dec 12, 2025
Tracked Since Feb 18, 2026