CVE-2026-34606

MEDIUM

Stored XSS in Frappe LMS

Title source: cna

Description

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.

References (4)

[X_Refsource_Misc] https://github.com/frappe/lms/pull/2185

[X_Refsource_Misc] https://github.com/frappe/lms/commit/b8283860a7f029ea2fa0245131c398c079088921

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/frappe/lms/releases/tag/v2.48.0

[X_Refsource_Confirm] https://github.com/frappe/lms/security/advisories/GHSA-qf5w-r34q-c7j2

Scores

CVSS v3 6.1

EPSS 0.0003

EPSS Percentile 9.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

frappe/learning 2.27.0 - 2.48.0

frappe/lms >= 2.27.0, < 2.48.0

Published Apr 02, 2026

Tracked Since Apr 03, 2026